The RISKS Digest
Volume 8 Issue 39

Thursday, 16th March 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Solar flares vs. garage door openers
Steve Bellovin
Peter Scott
Sunspots and Power Lines
John Coughlin
Man-machine interfaces and perception-impaired people
David A. Honig
Re: reverse engineering of type fonts
Herman J. Woltring
Re: Ethics Question
Marc Mengel
Re: Toshiba DOS 3.3 Backup deletes files
Jay Elinsky
Re: IBM's claims to omnipotence
Dr Robert Frederking
Re: Pushbutton Banking
Tom Coradeschi
Info on RISKS (comp.risks)

Solar flares vs. garage door openers

<ulysses!smb@research.att.com>
Thu, 16 Mar 89 10:40:37 EST
You write that the solar flares have been affecting garage door openers.  Maybe
not.  According to a report on CBS News this morning, the FCC is aware of the
problem, refuses to say what it is, but says it will clear up in about 6 weeks.
When asked if it's a secret government project, they refuse to say.

The transmissions are from the top of Mount Diablo, but the FCC [office in
Livermore] refuses to identify the agency sending.  They'll be transmitting
through May 2.  Quoth an FCC representative:  ``We're not obligated to do
anything'' because the openers operate on frequencies also used by the
government, and the openers are ``unprotected devices''.  His solution: switch
to another frequency.

I wonder what other equipment, besides garage door openers, is failing?  And if
they — whoever ``they'' are — even thought about the question first?

Steve Bellovin                                   
                [This report was also noted by Jan Wolitzky and Tim Garlick.
                Also, Michael Sclafani — who had not heard it — wondered
                how a solar flare problem could arise only in the Mt. Diablo
                area.  PGN]


Re: Sunspots & Communications

Peter Scott <PJS@grouch.JPL.NASA.GOV>
Thu, 16 Mar 89 09:30:38 PST
[...]  I thought that g.d. openers operated in the microwave range; isn't this
power level of transmission unhealthy?

Peter Scott (pjs@grouch.jpl.nasa.gov)
                                        [Especially if you jack up the power.
                                        You need jacks or better to open.  PGN]


Sunspots and Power Lines

John Coughlin <John_Coughlin@RMC.BITNET>
16 Mar 89 12:19:00 EST
Earlier this week a massive blackout hit the province of Quebec, plunging about
6 million people into darkness.  A substation on one of the main lines feeding
electricity from the James Bay hydroelectric dams to the south of the province
had shut down.  The suspected reason:  the recent intense solar activity. It
took almost half a day to rectify (pun intended) the problem, because it was
first necessary to identify which of several substations located in a remote
area was at fault.

John Coughlin, BULL Kingston        (613) 541-6439       <JC@RMC.BITNET>


man-machine interfaces and perception-impaired people

"David A. Honig" <honig@BONNIE.ICS.UCI.EDU>
Thu, 16 Mar 89 12:36:00 -0800
In RISKS [ Wednesday 15 March 1989   Volume 8 : Issue 38 ]
Ken Harrenstien <KLH@SRI-NIC.ARPA> writes, 

 Think about color-coded displays.  Touch displays.  Mice.  Voice-synthesized
 responses.  And so on.  None of these is suitable for everyone, but as long as
 a system is not limited to just one way of doing things, no one will be
 excluded.  I sincerely hope that in the rush to automate everything, designers
 take advantage of the flexibility that computers give them to provide for as
 many alternatives as possible.  The person who benefits will someday be you.
 --Ken

 The developers of advanced man-machine interfaces who wish to use
stereooptical displays (so users can manipulate virtual 3-D objects)
will have to contend with the fact that approximately 10% of the population
has some form of stereodeficiency (usually caused by eye problems 
as an infant).  Groups at NASA, MIT Media Lab, etc. have working prototypes,
and it is common for CAD/CAM users to employ 3-D computer graphics.

David Honig, Dept of Info & Comp Sci, Univ. of Calif., Irvine, Ca. 92717


Re: reverse engineering of type fonts (Herman J. Woltring)

<WWTMHJW@HEITUE5.BITNET>
Thu, 16 Mar 89 12:03 N
Mr Randell Neff's query in Risks Digest 8(37) of March 11, 1989 on the ethics
and legality of investigating a commercial object and of recovering some of the
basic information incorporated in such an object (type fonts information in his
paradigm) seems to have a direct bearing on my own (too lengthy) contribution
in Risks Digest 8(34) of March 2, 1989.  The French proverb "C'est le ton qui
fait la musique" (i.e., the way that you put your arguments will have a strong
bearing on how your views are perceived and interpreted) may be relevant, as Mr
Neff's statement seems to convey that the VorTex people were boasting about
their success in avoiding payment of (too) much money.  If this was indeed the
case, no wonder that some people including Mr Neff became rather upset.

Apart from such psychological factors, the legal and ethical aspects might be
discussed as follows.  I should state that I am neither a lawyer nor an
ethicist, but just a computer architect interested in balancing Intellectual
Property with Freedom of Information, considering the complementary nature of
these aspects under Section 27 of the 1948 Universal Declaration of Human
Rights and under Section 15 of the 1966 International Covenant on Economic,
Social, and Cultural Rights.

Under most legislation in competitive economies, investigating some commercial
object by disassembling it for one's own purposes is perfectly ethical and
legal.  It is only once a direct-for-profit goal becomes the target, that
patent law etc. impose certain constraints.  Freedom of Information, especially
in the USA with its Freedom of Information Act, is an important asset that
should not be forgotten lightly.

If disassembling a (purchased or borrowed) object for research on its
functioning and properties is acceptable in a competitive context, why should
it become inacceptable if done in a not-for-commercial-gain context?  Mr Neff
referred to trade secrets of the font information incorporated in Adobe's
product, and this ties directly into the present, commercial drive to use
copyright law for imposing trade secrecy on the fundamental know-how contained
in a (software) object.  However, trade secrets must be KEPT secret, e.g., by
binding human persons in contract and by storing documents in strong vaults.
It does not make sense to rely on legal connotations that "reverse engineering"
of an object (whether hardware or software) are inappropriate and an
intellectual burglar's instruments for "theft of know-how":  research is
allowed on the topography of hardware chips and under patent law (but licences
may be imposed once the results of such research are to be exploited
commercially); similar research should remain possible under copyright law.
This obtains even more because of the automatic, virtually costless protection
granted by copyright; patent law requires rather expensive, administrative
procedures.

As I am most familiar with the software aspects, I'd like to clarify things in
the software area, although I do not know whether the VorTex/Adobe controversy
is a hardware or a software issue.  Higher computer languages exist in order to
accomodate the cognitive capabilities of the human computer architect and
programmer, and machine languages exist in view of the limitations of current
hardware technology.  The gap between these two is bridged by compilers and
decompilers, and compilers have never been designed in order to impose secrecy
of the know-how underlying a software package.  Thus, decompilers are not
automatically improper tools.

Nevertheless, a number of creative legal experts consider it useful for their
own purposes to declare decompiling and similar forms of analysis and research
first an unethical, then a pirating, and finally an illegal activity.  However,
the mere fact that there is a new market for something (software used to be
freeware!) does not automatically imply that existing tools and technologies
should be reinterpreted as legal instruments.  Such political interpretations
should be judged in terms of the necessary balance between protection and
freedom to copy, lest inappropriate monopolies (and similar advantages) are
generated or no protection is provided at all.

For example, the "Green Paper on Copyright and the Challenge of Technology"
published by the Commission of the European Community last summer makes
specific reference to the information industry's need that reverse engineering
should be allowed lest competition would be stultified:  in each competitive
situation, we may copy relevant aspects from our competitors (not slavishly,
but creatively, by building on those predecessors' work), and this should
certainly remain pos- sible.  Balance and counterbalance must, of course, be
provided, and the copyright doctrine that only form or expression, but not
basic ideas or contents are to be protected, is one of the tools for that
purpose.  In my mind, this means that a legal "fair use / fair dealing"
exemption for research, review, and criticism of a protected object should be
maintained, but that unfair uses should be outlawed.  (The national motto "Je
Maintiendrai" of the Kingdom of The Netherlands may be of some relevance,
here.)

Case law under the Anglo-American Copyright system has been perfectly capable
to interpret the extent of (un)fair behaviour, whether commercial or
consumptive.  The non-competitive VorTex case seems quite within the range of
what is called "Fair Use" under Section 107 of the US Copyright Act.  In fact,
Mr Neff did not clarify his claim that the VorTex activity with respect to
Adobe was "certainly not research", as VorTex seemed concerned with saving
money for research purposes; rather, the VorTex group might deserve to be
congratulated with saving the Californian and other taxpayers' money?  After
all, the VorTex group did not slavishly copy a protected object for its own,
routine use, but analyzed it and then built its own version instead.  The
similarity to industrial 'clean room' procedures where (computer) architects
analyze an object and provide their findings to an independent, 'clean' team of
programmers or hardware engineers may be obvious.

As regards copyright protection of digital encoding of fonts, I doubt that this
does not exist in the USA.  Certainly, the 1988 Copyright, Designs and Patents
Act in the U.K. provides for specific Copyright protection of typefaces and
print lay-outs.  Much more serious is the possibility that the VorTex group (if
Fair Use under Section 107 USC Copyright Act should not apply) might invoke the
11th Amendment to the US Constitution which grants individual States (including
State instrumentalities like the University of California at Berkeley) immunity
against copyright damage claims under the federal Copyright Act:  see the paper
"An Open Letter on Piracy" in Software Magazine 8(3) of March 1988, republished
in ACM's Computers and Society 18(3) of July 1988, also referred to in my Risks
posting of March 2, 1989 quoted above.

Finally, I hope that Mr Neff has communicated his feelings to the UCB professor
of whom he was so critical, and that a reaction may appear from him on this
forum; I hope that such a communication took place prior to Mr Neff's going
public on this issue.

Herman J. Woltring 

Re: Ethics Question (Randall Neff, RISKS-8.37)

<att!cuuxb!mmengel@ucbvax.Berkeley.EDU>
Mon, 13 Mar 89 23:59:59 -0800
>Is this ethically correct?   

    Copyrights and intellectual property are a very sticky issue...
    especially in a case like this. 

    Consider: Adobe's *internal coding* of the fonts is considered 
    a trade secret, and that trade secret has *not* been abridged 
    by digitising the display of the font.  The display of the
    font was performed by the group's equipment, and with electricity
    for which they paid... If I buy a machine that makes pretzels,
    may I not sell the pretzels?  

    Lets say I write a book, printed with Adobe's fonts — can I
    sell copies of the book?  Or must I purhcase the font from Adobe
    for large sums of money?

>Is it all right to acquire a company's product by clever coding?  

    Clearly not, if you mean breaking some form of computer security
    to obtain copies of the software, etc.  On the other hand, to 
    build your own product that acts like another company's is quite 
    the proper thing to do.  Just ask Suave shampoo. ("Ours does what 
    theirs does...") Or your local pharmacist who makes generic versions 
    of common brand name pharmaceuticals.

    It is the latter course that the CS department has followed, in
    my opinion.

>Is it reasonable behavior for a Famous CS department funded by California 
>     taxpayers and NSF grants (it is certainly not research)?

    I find your assertion questionable — after all, universities
    design operating systems, and aren't there operating systems
    being sold by companies?  Don't features of those operating
    systems get put into these research systems by "clever coding?"

    If you want to, you can make any research implementation of 
    anything which has been previously built in industry sound like
    some sort of copyright violation; just say that the products
    do similar things, and the students managed to "reproduce" the
    package with "clever coding"...  Never mind if the researchers
    happen to stumble upon a signifiganly improved method of getting
    the job done, or learn something usefull about software engineering...

>Is there a reasonable way for an audience member to stand up and say:
>    "For Shame, this is ethically reprehensible behavior and you're setting
>     a bad example for students everywhere."

    Not unless you can first demonstrate that the behaviour is
    morally reprehensible.  When you can do that, you need merely
    ask a few pointed questions of the presenters, and the conclusion
    will be obvious to the other listeners.

    However, from the way you describe it, they wrote their own
    implementation of Postscript, a programming language in its
    own right, with their own code for displaying fonts, etc.
    and then wrote a program that could digitize characters which
    were to be displayed on their printer, and could digitize *any*
    font displayed on that printer, even one they might have done
    by hand; they then used this tool to digitize a font they had
    purchased the right to reproduce in its displayed form (It would
    be ludicrous to suggest they need an incredibly expensive liscence
    just to make photocopies of documents printed on their printer,
    for example).

    They rewrote Postscript, and digitized some fonts for its use.
    They could just as easily have run the New York Times through
    a scanner and picked the letters from it, or typed the alphabet
    on their typewriter and scanned it in with a digitizer.
    The typewriter company sells those printwheels for the typewriter;
    but have our proponents done anything ethically abhorrent?  I
    don't think so.

 Marc Mengel


Re: Toshiba DOS 3.3 Backup deletes files

"Jay Elinsky" <ELINSKY@YKTVMX.BITNET>
Thu, 16 Mar 89 08:56:31 EST
Stephen Farrell writes

>the moral seems to be that you should sometimes make a backup before making a
>backup!

It's "standard practice" to keep at least two sets of backups.  Call one
set of diskettes A, and the other B.  This week write your backups on
set A.  Next week write them on set B, and then back to set A, etc.  If your
machine dies in the middle of writing on set B, you have some hope of
restoring from set A (the backup you took a week ago).

The UNIX manual page dump(8) tells about a hierarchial dumping scheme in which
you keep some backups forever.
                                 Jay Elinsky, IBM T.J. Watson Research Center,
                                 Yorktown Heights, NY


Re: IBM's claims to omnipotence (RISKS-8.32)

Dr Robert Frederking <ref@ztivax.siemens.com>
Mon, 13 Mar 89 14:49:16 -0100
(1) Why these things always go IBM's way in the press:
    IBM probably has more PR people than most companies have programmers.

(2) My biggest complaint about an article like this is that apparently no
    one, including the reporter and the poster to this list, remembers that
    the first(?) launch had to be rescheduled because of a complete computer
    system failure in the flight-control computers!  This, in a "bug-free"
    system.  It turned out that there was a 1-in-64 chance (really!) of the
    system not synchronizing on start-up.  Once it hit the bad combination,
    it had to be reset before it would correctly synchronize.  This wasn't
    discovered in testing because they were too busy testing software in the
    individual machines to keep cold-starting the whole system.  The whole
    thing had been started from scratch less than 10 times.

Robert Frederking, Siemens AG/ZFE F2 INF 23, Otto-Hahn-Ring 6,
D-8000 Munich 83  West Germany  Phone: (-89) 636 47129


Re: Pushbutton Banking

Tom Coradeschi <tcora@ARDEC.ARPA>
Thu, 16 Mar 89 18:27:21 EST
In a similar vein, the credit union here, at ARDEC has a system much like that
you've described. It is somewhat safer, however. The ID number you use is your
choice, not something nominally available to the public, like your SSN. It is
not possible to transfer funds OUT of checking, to savings or elsewhere. It is
possible to transfer funds into checking, but that's what you want to do,
anyway. The only possible means of screwing someone over, I can think of, would
be to locate both his account number and ID number, and make a withdrawal.
However, the method of withdrawal the credit union uses is to mail a check to
the address of record for the account. And there is no way to change your
address using the phone. That requires an in-person visit, with account
identification. If you've got that, why bother using the phone, when you can
walk up to a teller window and clean out the account?  I'm sure that there are
some bugs in this system as implemented, and someone who was really trying
could find them, but they certainly aren't as readily apparent as those
described earlier.
                                        tom c

Electromagnetic Armament Technology Branch, US Army Armament Research,
Development and Engineering Center, Picatinny Arsenal, NJ 07806-5000

Please report problems with the web pages to the maintainer

x
Top