Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 7: Issue 4
Monday 6 June 1988
Contents
Review article on privacy/civil liberties risks in CACM- Jon Jacky
- RISKS of wrong numbers and tigers
- Steve Nuchia
- Academic Assignment of Viruses
- Bill Murray
- Peter J. Denning on Terminology
- Bill Kinnersley
- COMPASS '88 PROGRAM
- Frank Houston
- Halon agreement and the ozone models
- Rob Horn
- Info on RISKS (comp.risks)
Review article on privacy/civil liberties risks in CACM
Jon Jacky <jon@june.cs.washington.edu>
Sun, 05 Jun 88 17:32:33 PDT
Many readers of this digest will be interested in the article, "Information technology and dataveillance," Roger A. Clarke, Communications of the ACM, 31(5): 498 - 512, May 1988. This is a long review with 78 references. The author defines "dataveillance" to mean the systematic use of computing technology in the investigation or monitoring of the actions or communications of one or more persons. He distinguishes betwen "personal surveillance" - surveillance of an identified person, where there is a specific reason for the investigation, and "mass surveillance" - surveillance of large groups of people in order to identify individuals who might be of interest to investigators. The author concludes that computing technology is making it much easier to perform both kinds, a lot of it is going on and more can be expected. The author says he does not argue that surveillance is intrinsically evil or that it should be ruled out altogether, but argues that much of what is in fact now going on is in general a bad thing, especially the mass surveillance. He concludes that privacy and civil liberties protections in place in most countries are inadequate to protect against these new surveillance techniques. The author says that he feels people working in computing, due to their special knowledge, have some special responsibility to consider privacy implications of their work, evaluate safeguards, and lobby for effective ones. - Jon Jacky, University of Washington
RISKS of wrong numbers and tigers
Steve Nuchia <nuchat!steve@uunet.UU.NET>
4 Jun 88 18:32:45 GMT
(Paraphrased from The Houston Post, 29 April) A local newscast carried a story on a Herpes research project under way at Baylor College of Medicine, and displayed a phone number for volunteers to call - with appropriate assurances of confidentiality. Not only was it the wrong number, it was the number for the "back door" to the public address system at Baylor (No indication of how large an area was covered - it is a big place.) The callers, hearing a pick up but no answer "assumed it was an answering machine" and "gave their names, phone numbers, everything." I believe this points up an important "human factor." People are a lot less cautious when they initiate a contact than when they are contacted. This explains the easy success of the typical "service spoof" attacks - password harvesters and "night deposit box out of order" scams. I don't have a magic answer for designers of services - it is very hard to design a service that is at all hard to spoof if the clients aren't at least a little bit cautious. Second item: One of the tigers went through a window in a door and killed an employee. It was at night and the public would not have been in immediate danger even in the daytime, but the incident nevertheless caused quite a ruckus. The firm that designed the enclosure stated that the door design, including the window pane used, was "standard" for that kind of application. The tiger had no trouble going through it, and there was no indication that it was defective, nor that any other tiger would have had any trouble going through any other door of like design. (Zoo officials have the big cats in holding cages while the window materials used in the (relatively new) cat facility are tested - by swinging miniature wrecking balls into them. The cat facility is a modern close-contact one - you can routinely find one of the lionesses sleeping against a window with the public on the other side - in a tunnel.) Apparently quite a few nominally professional people in the world think that standards excuse them from thinking. Perhaps that explains the popularity of standards? Applicability to computers? Gee, there aren't any people clamoring for standards in the computer industry, are there? Steve Nuchia uunet!nuchat!steve (713) 334 6720 [Yes, but we've always had tiger teams trying to break system security. PGN]
Academic Assignment of Viruses
<WHMurray@DOCKMASTER.ARPA>
Sun, 5 Jun 88 10:25 EDT
A society that depends upon any mechanism for its own proper functioning, cannot tolerate, much less encourage, any tampering with the intended operation of that mechanism. Therefore, one is tempted to rise up in indignation at the idea of a qualified academic assigning a virus to his students. The next thing you know, they will be assigning plagiarism. How about the forgery of academic credentials? Perhaps we should offer a course in how to falsify research results. Or, perhaps, on how to trash another's experiments, notes or reports. Perhaps it is a sign of immaturity that we are unable to recognize the moral equivalency. I will leave open the question of whether the immaturity is in the technology, the society, or academia. I thought that we put this issue to bed several years ago when we stopped assigning the breaking of security. It seems that we did not. For an academic to be unable to recognize that assignments, and the recognition that goes with their successful completion, encourages the behavior assigned, demonstrates a lack of understanding of the activity in which he is engaged. If he understands it, and still makes such an assignment, he demonstrates a lack of understanding of where his real interest rests. Such irresponsible behavior may account, in part, for the anti-academic bias in our society and for the manifest distrust of the scientific establishment. It is of little wonder that the citizens of Cambridge, Massachusetts are reluctant to trust the likes of these with genetic engineering. If there is any lesson that we should have learned from the computer, it is that understanding the effects of what we intend for it to do is a daunting task. Even getting it to do what we intend is not trivial. It seems to me, that there is plenty of material here for assignments; we need not look to assignments which are at best trivial, and at worst, dangerous. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
Peter J. Denning on Terminology
Bill Kinnersley <iphwk%MTSUNIX1.BITNET@CUNYVM.CUNY.EDU>
Mon, 6 Jun 88 12:02:13 mdt
Subscribers to this list may be interested in the recent article
"Computer Viruses" by Peter J. Denning in the American Scientist, vol 76
page 236. In particular, he discusses terminology. Paraphrasing his
definitions:
1) Worm - a program that invades a workstation and disables it.
COMPASS '88 PROGRAM
Frank Houston <houston@nrl-csr.arpa>
Thu, 2 Jun 88 12:46:15 edt
*****************************************
* *
* COMPASS '88 *
* JUNE 27th - July 1st, 1988 *
* *
* NATIONAL BUREAU OF STANDARDS *
* Gaithersburg, MD *
* *
* ADVANCE PROGRAM *
* *
*****************************************
* MONDAY, 27 JUNE 1988 *
Meeting of the Tri-services Software Safety Working Group
* TUESDAY, 28 JUNE 1988 *
0730 REGISTRATION
0900 CALL TO ORDER
General Chair---CDR Mike Gehl, Office of Naval Research
0910 OPENING REMARKS
Honorary Chair---Helen Wood, Deputy Director, Institute for
Computer Sciences and Technology, National Bureau of Standards
0930 PROGRAM OVERVIEW
Program Chair---Janet Dunham, Research Triangle Institute
0940 INTRODUCTION OF KEYNOTE SPEAKER AND PANEL
Chair, COMPASS Board---H.O. Lubbes, Space and Naval Warfare
Systems Command
0950 KEYNOTE ADDRESS
Chair, Keynote Panel---Dr. Roger McCarthy, Failure Analysis, Inc.
"THE PRESENT AND FUTURE SAFETY CHALLENGES OF COMPUTER CONTROL"
1100 COFFEE BREAK
1130 KEYNOTE DISCUSSION
PANEL: Herb Hecht, SoHAR, Inc.
Peter Neumann, SRI International
Jim Treacy, Federal Aviation Administration
Andres Zellweger, Computer Technology Associates
William J. Rodda, DELCO Electronics Corp.
1300 LUNCH BREAK
1430 RISKS AND BENEFITS
Chair---Janet Dunham, Research Triangle Institute
* "The Computer Related Risk of the Year: Computer Abuse"
Peter Neumann, SRI International.
* "Alzheimer's Patient Monitoring System"
Doris Rouse, Research Triangle Institute
* "Advance Computations into the Third Millenium"
James P. Farell
1530 COFFEE BREAK
1600 WHAT IS SOFTWARE SYSTEMS SAFETY?
Chair---Al Friend, Space and Naval Warfare Systems Command
* "Software Systems Safety and Human Error Avoidance"
Mike Brown, Naval Surface Warfare Center
* "A Definition of Process Security"
John McDermott, Naval Research Laboratory
* "Definitions and Requirements for Distributed Real-Time Systems"
Christina Berggren, IBM System Integration Division
* "An Approach to Software Safety Analysis in a Distributed
Real-Time System"
Sang H. Son and Chun-Hyon Chang, University of Virginia
and Paul V. Shebalin, ORI
1730 ADJOURN
1900 BANQUET
* "Stalking the Wily Hacker"
Cliff Stoll, Lawrence Berkeley Laboratories
* WEDNESDAY, 29 JUNE 1988 *
0900 RELIABILITY AND SECURITY OF VOTE COUNTING SYSTEMS:
Chair---Lance Hoffman, George Washington University
Panel: Roy Saltman, National Bureau of Standards
Emmett Fremaux, Jr., District Board of Elections and Ethics
Peter Neumann, SRI International
1000 ENGINEERING ERROR FREE SPECIFICATIONS
Chair---Sam DiNitto, RADC
* "Overview: Complementary Completeness"
Sam DiNitto, RADC
* "Early Detection of Requirements Specification Errors"
Paul C. Jorgensen, Arizona State University
* "Reliable Software Specification"
John McLean, Naval Research Laboratory
* "An Investigation of the Reliability of a Software
Specification"
Janet Dunham, Research Triangle Institute
1100 COFFEE BREAK
1130 DESIGNING SAFETY CRITICAL SYSTEMS
Chair --- Peter Neumann, SRI International
* "Designing Safety Critical Systems: The Viper Microprocessor"
Dr. John Cullyer, Royal Signals and Radar Establishment
* Question and Answer Session
1300 LUNCH BREAK
1430 SOFTWARE PRODUCT ASSURANCE: TECHNIQUES FOR REDUCING SOFTWARE RISK
Chair---Dolores Wallace, National Bureau of Standards
* "Software Product Assurance: Reducing Software Risks in
Critical Systems"
William Bryan and Stanley Siegel, Grumman Corporation
"FIPS 132/IEEE 1012 SVV Plans Standard"
Dolores Wallace, National Bureau of Standards
1600 COFFEE BREAK
1630 VERIFICATION, TESTING, AND ANALYSIS
Chair---Michael Brown, Naval Surface Warfare Center
* "Predicting Computer Behavior"
Don Good, Computational Logic, Inc.
* "On Back to Back Testing"
Mladen Vouk, North Carolina State University
* "A Static Scheduler for the Computer Aided Prototyping System"
Dorothy Janson and Prof. Luqi, Naval Post Graduate School
* "The IBM Software Quality and Productivity Program"
Anne Martt, IBM Houston
1800 ADJOURN
* THURSDAY, 30 JUNE 1988 *
0900 SOFTWARE SAFETY MODELING AND MEASUREMENT
Chair---Herb Hecht, SoHaR
Panel: Jerry Mauck, Nuclear Regulatory Commission
Douglas R. Miller, George Washington University
Dev Raheja, Technology Management, Inc.
1015 USE OF MODELING TOOLS: A VARIED APPROACH
Chair---Don Lee, Aerospace Corporation
Panel: Sal Bavuso, NASA-Langley Research Center
Nancy Leveson, University of California-Irvine
1100 COFFEE BREAK
1130 PANEL DISCUSSION: SAFETY REVIEW PROGRAMS
Chair---George Finelli, NASA-Langley Research Center
Panel: Mike Brown, Naval Surface Warfare Center
Frank Houston, Food and Drug Administration
Mike Dewalt, Federal Aviation Administration
1300 LUNCH BREAK
1430 CASE STUDIES: OPERATIONAL SAFETY AND PROCESS SECURITY CONSIDERATIONS
Chair---Dan Strub, U.S. Air Force
* "On Software Safety Management"
Jim Dobbins, Verilog
* "A Methodology for Analyzing Avionics Software Safety"
Bob De Santo, LOGICON, Inc.
* "A Case Study of System Integrity for Alcohol Taxation"
T. F. Buckley, P.W. Garratt, and T.G. Gough, Leeds Univ., U.K.
* "Update on the Safety Verification of the B1 Bomber"
Joe Cantu, Boeing Military Airplane Company
* "The Centaur Project"
Helen De Mao, Corporation for Studies and Analysis
1600 BREAK
1630 CASE STUDIES: ASSURING MEDICAL SOFTWARE
Chair---Frank Houston, Food and Drug Administration
* "A Methodology for Assuring Medical Software"
Roger Fujii, LOGICON
* "Formal Safety Analysis and the Software Engineering Process in
the Pacemaker Industry"
D. Santel, C. Trautman, and W. Liu, Medtronic, Inc
* Discussion/Question and Answer
1800 ADJOURN
* FRIDAY, 1 JULY 1988 TUTORIALS *
0900 Software Safety and Process Security in the Ada Reusable Software
Environment
E.V. Berard, EVB Software Engineering, Inc.
0900 Verification and Validation
Dolores Wallace, National Bureau of Standards
and Roger Fujii, LOGICON, Inc.
1200 ADJOURN
REGISTRATION--Preregistration closes 17 June 1988. On-Site registration
will begin on 28 June 1988 from 0730 to 0900 in the NBS Administration
Building. Persons attending the Tri-Service Software Systems Safety
Working Group may register there on 27 June 1988 between 1530 and 1730.
PARKING--Parking is available in the NBS Visitors Parking Lot adjacent to
the Administration Building.
TRANSPORTATION--For those attendees who will be driving, the National
Bureau of Standards is located on Clopper Road near the I-270 interchange
approximately 12 miles north of I-495 (marked "National Bureau of
Standards/ Clopper Road" for northbound travelers; or "National Bureau of
Standards/Route 124 Darnestown" for southbound travelers). For attendees
who do not wish to drive, the conference hotels are accessible from Dulles,
National and BWI airports by regular limosine service with no reservation
required. Also, NBS provides shuttle service to and from the Shady Grove
Metrorail Station (on the Red Line) on the quarter and three-quarter hour
(0815, 0845, ... 1715) from the West side KISS AND RIDE lot. COMPASS will
provide a shuttle morning and evening between NBS and the conference
hotels.
MEALS--The registration fee includes lunches on Tuesday, Wednesday, and
Thursday, and Dinner on Tuesday evening. Refreshments will be available at
all breaks.
FOR ON-LINE or hard-copy REGISTRATION FORMS, PLEASE CONTACT FRANK HOUSTON
houston@nrl-csr.arpa .
Halon agreement and the ozone models
Rob Horn <harvard!ulowell!infinet!rhorn@husc6.harvard.edu>
Thu, 2 Jun 88 19:31:50 edt
The real risk with the freon-halon-ozone controversy is best
understood when you realize that the Third World countries were
major opponents to the production freeze. The major uses of
freons are:
1) Refrigeration
2) Manufacturing
3) Fire Protection (only about 10%)
Freons have been shown to be much cheaper and much safer than the
alternative technologies. Only recently have there been
indications that equally safe refrigeration technologies can be
practical, and these will be many times more expensive.
In the Third World refrigeration means much more than a cool car.
It can mean the difference between life and death. In food
production, refrigeration allows produce to reach markets, to be
stored safely. Without it (and most underdeveloped countries
lack adequate refrigeration) food spoils, farm incomes drop
dramatically, people go hungry, people starve. In medicine,
refrigeration means medicines that don't spoil and blood
transfusions. Lack of refrigeration means death. So the Third
World countries opposed the removal of freons. Why agree to many
thousands of deaths just to keep the Americans happy? The future
environmental destruction is a good reason, but with so much at
stake the evidence must be persuasive. Even with the new
technologies, they must weigh the huge increase in costs against
their limited incomes.
The evidence from the computer models is weaker than the press
reports indicate. The measurements of world ozone show an
*increase* of about 5% from 1960 to 1975 followed by a much
larger and faster decrease of about 15% since then. The computer
models do not predict or explain that increase. Their
predictions of what altitudes would have how much of a decrease
do not match the observed decreases. The models did not predict
the Antarctic `hole', although this has a tentative explanation.
I believe that the real deciding factor was the intuitive
decision by the negotiators that while the models were pretty
inaccurate, the measurement data was accurate enough to make the
trend very worrisome. The rapid action following confirmation of
the satellite data calibration is consistent with this. It also
is evidence of a cautious approach towards computer models. The
research level was dramatically increased, both into the
atmosphere and into freon substitutes, after the initial modeling
results were published. Freon uses with easy substitutions
(spray propellent) were eliminated in the US. Oddly, the
Europeans did not follow suit. The drastic changes were studied,
but no action taken until there was much more information.
The Montreal agreement also places real emphasis on more data gathering and
analysis following the agreed freeze and reduction in production. The
reduction goal can be met with changes in refrigeration and manufacturing
without any change in fire protection uses. The United States may move
internally for much larger reductions. The large chemical companies may decide
to switch production entirely when suitable substitutes are found. Dow has
announced its intention to completely phase out freon production. The
international agreement is to reduce somewhat, then wait for more evidence from
measurements.
Rob Horn
Report problems with the web pages to the maintainer