The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 59

Saturday, 20 September 1986


o Computers and Wall Street
Robert Stroud
o Report from the Computerized Voting Symposium
Kurt Hyde
o Computers, TMI, Chernobyl, and professional licensing
Martin Harriman
o Failsafe software
Martin Ewing
o Software vs. Mechanical Interlocks
Andy Freeman
o How Not to Protect Communications
Geoff Goodfellow
o Info on RISKS (comp.risks)

Computers and Wall Street

Robert Stroud <>
Thu, 18 Sep 86 14:07:59 gmt
I came across an article in Computing which gives more details about the
way in which computer systems are influencing the stock market. It suggests
that dealers are forced to rely on the "intuition" of their system, even
against their better judgement, for fear of being caught out. Personally
I find this trend very alarming, but perhaps the fluctuations on the stock
market are just "noise" with no lasting influence on the real economy.
Unfortunately, the "noise" can be heard around the world.

Robert Stroud,
Computing Laboratory,
University of Newcastle upon Tyne.

ARPA (or ucl-cs.ARPA)
UUCP ...!ukc!cheviot!robert

"Technology led Wall Street to drop prices" by Alex Garrett

The crash in prices which wiped a record amount off the value of shares
on Wall Street last week was largely the result of computerised dealing
systems failing to read the market.

Computer generated selling of shares was estimated to account for almost
50% of the transactions that caused a record volume of 240 million shares
to change hands last Friday. But it is believed that the effect of the
computers was to exaggerate the underlying movement in the market, so
that many shares were sold unnecessarily.

The problem has arisen as a number of factors conspired to make the US
stock markets subject to increasing fluctuations, which in turn has caused
stockbrokers to rely far more heavily upon the split-second advice of their
computer systems. In particular, many systems are triggered by a drop in
share price to instruct a dealer to sell, and he will often do so, even against
his better nature, for fear of being caught out.

.... this kind of feature has yet to be adopted in the UK.

Ian Reid ... said that although shares will often recover their price within
a short time, some of the computer systems in the US do not have the intuition
to see this.

Report from the Computerized Voting Symposium

Jekyll's Revenge 264-7759 MKO1-2/E02 <hyde%abacus.DEC@decwrl.DEC.COM>
Friday, 19 Sep 1986 11:37:13-PDT
Belated Report from the  Symposium  on  Security  and  Reliability  of
Computers in the Electoral Process — August 14th & 15th, 1986

The participants came from many backgrounds, computer people, writers,
attorneys,  and  even  one Secretary of State.  Some of the highlights
emphasized by one or more speakers were:

      o  Lever voting machines are still  the  fastest  way  to  count
         votes.   The  computerized  vote counting machines are slower
         than lever machines, but faster than paper ballots.

      o  Lever voting machines still appear to be the  safest  way  to
         count votes.

      o  The  State  of  Illinois  tested  its   computerized   voting
         equipment  and  found  numerous  instances  of errors in vote
         counting, primarily in undervotes,  overvotes,  and  straight
         party crossovers.

         NOTE:  An undervote is voting for fewer candidates  than  the
         maximum  allowed  for  an  office.  An overvote is voting for
         more candidates than allowed for an office.  A straight party
         crossover is casting a vote to be applied to all members of a
         party and then switching one or more votes to candidates from
         another party.

      o  A group of Computer Science students  at  Notre  Dame  (South
         Bend,  IN)  tested a punch card voting system with a group of
         test ballots.  By altering only the control cards  they  were
         able  to  manage  the  vote  totals  to predictable incorrect

Some of the recommendations made by one or more speakers were:

      o  Five percent  of  all  votes  cast  should  be  recounted  by
         different method than the original count.

      o  Security  standards  for  computerized  voting   are   needed
         immediately.  The expanding use of computerized vote counting
         equipment may preclude an effective implementation of such  a

      o  Punch card ballots should be redesigned  to  make  the  punch
         card  into  a ballot that is readable by the voter as well as
         by the computer.

      o  Internal procedures of computerized voting equipment must  be
         open  to  the public in order to let the public be in control
         and to assure public confidence in the electoral process.

      o  Computerized voting equipment must  have  the  capability  of
         allowing  the  voter  to  monitor  the  ballots  cast  by the
         computer to be sure it has voted as instructed.

      o  There should be public domain vote counting software in order
         that   companies   not   have  to  keep  their  programs  for
         proprietary ownership reasons.

         NOTE:  Does anyone know of a Computer Science student looking
         for a project?  I'm willing to share my notes.

         Is there anyone with the resources to build  prototypes  that
         have security features, such as voter-readable punch cards or
         a computer-generated, recountable ballot?

Bill Gardner, New Hampshire's Secretary of State, informed us that New
York  City  is  planning  to  purchase  new voting equipment.  This is
likely to become a de facto standard for New York State and, possibly,
for  whole  the  nation.  Risks Forum people who'd like to contact the
New York City Task Force should contact:

David Moscovitz
New York City Elections Project
2 Lafayette Street, 6th Floor
New York, NY 10007
(212) 566-2952

The results of my informal poll  on  trusting  a  computerized  voting

                                       Trust     Not Trust   Undecided

(1) Internal Procedures secret          2/40         38/40           0
    Results not monitored by voter 

(2) Internal Procedures Revealed        6/40         34/40           0
    Results not monitored by voter 

(3) Internal Procedures secret         10/40         28/40        2/40
    Results can be monitored by voter 

(4) Internal Procedures Revealed       24/40         11/40        5/40
    Results can be monitored by voter 

Computers, TMI, Chernobyl, and professional licensing

Martin Harriman <>
Wed, 17 Sep 86 09:42 PDT
The NRC does require testing and certification of the software used in the
design of nuclear power plants:  this includes the software used for seismic
simulations, fueling studies, and simulations of coolant behavior (which
can get quite complex in BWR designs).

The reactors themselves are designed to be stable, so they do not require
a complex control system for safe operation (unlike military aircraft with
negative aerodynamic stability).  Incidentally, the feedback mechanisms
used to produce stability in US reactor designs are missing from graphite
moderated, water damped designs like Chernobyl; this lack of stability
contributed to the initial explosion at Chernobyl.

Professional licensing is state-regulated; I'm not aware of any states with
a professional engineer exam for software engineers.  I don't believe that
professional licensing is all that useful; I'm more interested in quality
assurance for safety-related software (and hardware) than in ensuring that
some fraction of the people developing the software passed an examination.
It would be fairly amusing if PE registration became popular with software
engineers, since it would mean they would all need to learn a fair chunk
of civil engineering (the Engineer In Training exam requires it).

  --Martin Harriman <>

Failsafe software

Martin Ewing <mse%Phobos.Caltech.Edu@DEImos.Caltech.Edu>
Thu, 18 Sep 86 09:57:27 PDT

How can we even dream of SDI or fly-by-wire aircraft when I just received
12 nearly identical copies of the last ARMS-D mailing, at 33 KB a crack?

Seriously, this is an example of failsafe:  if some transmission error
occurs before a message transmission is complete, send it again, and again,
and again...  And no one is even shooting at the net, as far as I know.

  Martin Ewing

Software vs. Mechanical Interlocks

Thu 18 Sep 86 10:16:01-PDT
One current advantage of mechanical interlocks is that they can (usually) be
bypassed or modified in the field.  If I went on a special toss-bombing
mission, I'd be much happier hearing "the mechanical upside-down
bomb-release interlock has been removed" than "we just patched out that
section of the code and burned a new prom".

How Not to Protect Communications

the tty of Geoffrey S. Goodfellow <Geoff @>
20 Sep 1986 06:52-PDT
  [The New York Times, September 13, 1986]

  BALTIMORE - The Senate should avoid repeating the mistake made by the 
House when it unanimously passed the Electronic Communications Privacy 
Act.  Purportedly a benign updating of the 1968 Federal wiretap law 
designed to guarantee privacy in the electronic age, the bill actually 
promotes the cellular telephone industry at the expense of the public 

  True enough, obsolete language in the existing wiretap law fails to 
address digital, video, and other new forms of communications.  The 
proposed law would fix that.  But it would also declare certain 
communications legally private regardless of the electronic medium 
employed to transport them.  The mere act of receiving radio signals, 
except for certain enumerated services like commercial broadcasts, would 
become a federal crime.

  To disregard the medium is to ignore the essence of the privacy issue.  
Some media, such as wire, are inherently private.  That is, they are 
hard to get at except by physical intrusion into a residence or up a 
telephone pole.  Others media, notably radio signals, are inherently 
accessible to the public.  Commercial radio and television broadcasts, 
cellular car telephone transmissions and other "two-way" radio 
communications enter our homes and pass through our bodies.  Cellular 
phone calls, in fact, can be received by most TV sets in America on UHF 
channels 80 through 83.

  If radio is public by the laws of physics, how can a law of Congress 
say that cellular communications and other forms of radio are private?  
The unhappy answer is that the proposed law appears to be a product of 
technological ignorance or wishful thinking.  A similar edict applied to 
print media would declare newspapers, or portions of them, to be as 
private as first class mail.  The result is plainly absurd and contrary 
to decades of reasonable legislative and judicial precedent.

  In contrast, present Federal statute prescribes a sensible policy for 
oral communications, protecting only those "uttered by a person 
exhibiting an expectation that such communication is not subject to 
interception under circumstances justifying such expectation."  To 
illustrate, a quiet chat in one's parlor would likely be protected.  
Substitute for the parlor a crowded restaurant or the stage of a packed 
auditorium, the expectation of privacy is no longer justified.  The law 
would not grant it.

  Congress should apply this same logic to electronic communications.  
The broadcasting of an unencrypted radio telephone call, or anything 
else, is an inherently public act, whether so intended or not.  Thus it 
violates the "justifiable expectation" doctrine, and warrants no Federal 
privacy protection.  

  Protection or no, people will not be stopped from receiving radio 
signals.  Even Representative Robert W. Kastenmeier, Democrat of 
Wisconsin, who championed the bill in the House, confesses that its 
radio provisions are essentially unenforceable.  They will have no 
deterrent effect, and they will not increase the privacy of cellular 
phone calls or other broadcasts.  Worse, the act would lull the public 
into a false presumption of privacy.

  On further examination, it appears that the legislation is really more 
a sham than an honest, if puerile, attempt by Congress to deal with new 
technology.  Its sponsors say they aim to protect all electronic 
communications equally.  Yet the bill sets out at least four categories 
of phone calls, with varying penalties for interception.  Cellular radio 
calls are guarded by threat of prison, but there is no interdiction 
whatsoever against eavesdropping on "cordless" telephones of the sort 
carried around the apartment backyard.

  So Congress is about to give the cellular telephone industry ammunition 
for advertising and bamboozling, promising privacy that does not 
actually exist.  Cellular service companies thereby hope to avoid losing 
revenue from customers who might use the service less if they understood 
its vulnerability.

  If Congress were serious about privacy in the communications age, it 
would scrap the Electronic Communications Privacy Act and begin anew.  
Legislators and the public must first grasp the true properties of new 
technologies.  Are those properties inadequate or unsavory?  If so, 
relief will only come from research and more technology not wishful 

  Robert Jesse is a technology consultant.    [known to us all as rnj@brl]

Please report problems with the web pages to the maintainer