8-Apr-86 21:19:15-PST,12021;000000000000
Mail-From: NEUMANN created at  8-Apr-86 21:15:55
Date: Tue 8 Apr 86 21:15:55-PST
From: RISKS FORUM    (Peter G. Neumann, Coordinator) <[email protected]>
Subject: RISKS-2.38
Sender: [email protected]
To: [email protected]

RISKS-LIST: RISKS-FORUM Digest,  Wednesday, 9 Apr 1986  Volume 2 : Issue 38

          FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
  ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
 The UK Driving Vehicle Licensing Centre (Brian Randell)
 Computer crime wave (Chris Hibbert)
 Programming productivity (Herb Lin)
 Request for information about military battle software (Scott E. Preece)
 Aviation Week Technical Survey:  AI & Aviation (Werner Uhrig)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome.
(Contributions to [email protected], Requests to [email protected].)
(Back issues Vol i Issue j stored in SRI-CSL:<RISKS>RISKS-i.j.  Vol 1: MAXj=45)

----------------------------------------------------------------------

From: Brian Randell <brian%[email protected]>
Date: Tue, 8 Apr 86 12:03:45 gmt
To: [email protected]
Subject: The UK Driving Vehicle Licensing Centre

Several newspapers and magazines here have carried stories about
the alleged activities of hackers regarding the Driving Vehicle Licensing
Centre - a very large computer system that has received much bad
publicity in the press and in parliament over the years because
of cost over-runs and delays.
Here is a sample, from  the April 1986 glossy journal "Business":

 "Computer hackers have been running a brisk racket "cleaning up" the
 driving licences of wealthy business men. For a charge of [pounds] 100
 a point endorsements have been erased from the files of the British
 Government's Licensing Centre at Swansea and its supposedly impenetrable
 computer ordered to issue new licences. Drivers who accumulate 12 penalty
 points within 3 years are liable to ban or disqualifications. Reckless
 driving, for instance, attracts 10 points; failing to stop after an accident
 5.9 points; drunken driving 10 points (plus a 12 months disqualification).
 Drivers' records at Swansea are held on the Department of Transport's
 3081 Model G mainframe, whose manufacturers, of course, are not responsible
 for its customers security procedures. About a year ago, an access code
 number appeared on at least four "bulletin boards" - informal computer
 games and information exchange facilities set up and used by home computer
 enthusiasts (not in this instance mischevious schoolboys).
 "I am not suggesting the number on the board was that of the DVLC", says a
 source, "but it gave you access to a database with levels of password
 protection. It was obviously a secure system and was related to DVLC
 because the name headed the file. The access was not very privileged
 but knowing the procedures allowed priority in the system and enabled you
 to eliminate endorsements and order new licences to be issued."
 Amendments to the DVLC mainframe were automatically carried through to
 the back-up records kept on magnetic disc storage."

Such stories have inspired denials from the DVLC - for example in Datalink:

 "The Driving and Vehicle Licensing Centre in Swansea has denied press
 reports that computer hackers have broken into its database and wiped
 traffic offenses off driver records.
 The DVLC, which employs 1500 staff in a computer centre running a variety of
 kit including two IBM 3083s, is adamant that its system is secure from
 outside interference. "We have no dial-in facility, there's no electronic
 access at all from off-site," a spokesman said.

Some 160 programmers work at the DVLC, and the spokesman admitted that
officials are "looking at internal arrangements" to see whether files have
been amended in return for payment."

My cynical view is that from most other sources such a denial would be
immediately accepted, and indeed it may well be true. However the thought that
such record tampering just might be going on, and so allowing banned drivers
back onto the roads, is a worrying one.

Cheers, Brian Randell - Computing Laboratory, University of Newcastle upon Tyne

 ARPA  : brian%[email protected]
 UUCP  : <UK>!ukc!cheviot!brian
 JANET : [email protected]

------------------------------

Date: Wed, 2 Apr 86 10:53:29 PST
From: [email protected]
Subject: computer crime wave
To: RISKS FORUM (Peter G. Neumann, Coordinator) <[email protected]>

There was an article in the March 31, 1986 edition of the Washington
Post's National Weekly Edition titled "The Computer Crime 'Wave': It's
more politician's bark than our byte".

After an initial few paragraphs in which the writer reminded us that
"national commissions that are set up to study and report on This Trend
or That Issue always end up concluding that the trend/issue in question
is a bigger national problem than anybody ever imagined", the article
reported on the "First Annual Statistical report" from the National
Center on Computer Crime.

"Over a two year period, the national center surveyed 130 prosecutor's
offices in 38 states and asked how many computer crimes each office had
encountered. ...  The national center's survey of prosecutors came up with a
grand total of 75 reported 'computer crimes.'  Even that minuscule number,
it must be noted includes some infractions that can only be classified
'computer crime' if you stretch the language considerably.  One reported
case involves ... a county prosecutor ...  who got a friend in the motor
vehicle department to delete two speeding tickets from his driving record.
This is labeled 'computer crime' because the record was on a computer tape...

In short, this first national census says that 'computer crime,' by any
stretch of the definition, is a statistically minute phenomenon.  The antics
of a few hackers have garnered grossly disproportionate attention from the
media and the law-enforcement community.  So-called 'computer crime' is
novel and exciting, so it's hardly surprising that even a few cases would
attract considerable notice.

But Legislators around the country are acting as if there really is a
'computer crime' problem.  The center's study shows that 22 states
passed new 'computer crime' legislation in the past two years. ..."

Chris

------------------------------

Date: Sun, 6 Apr 1986  23:45 EST
From: [email protected]
To:   [email protected]
Subject:  Programming productivity

   From: ihnp4!utzoo!henry at seismo.CSS.GOV

   I went and re-read Terry Winograd's old "Reactive Engine" paper.  He
   comments, roughly: "If, by decree of God or ARPA, we were only allowed
   to run one user at a time on the PDP-10, just think of all the effort
   that would be invested in making that one user's time productive."
   Despite the enormous increases in computing power available to
   individual users since then, that has not happened: much of that extra
   power is simply being thrown away.

True enough.  But why do you think that large amounts of effort
invested would necessarily improve productivity?  Despite long
practice, for example, people can hold only a few ideas simultaneously
in short term memory.  There are mnemonic aids available, but they
don't enable someone to do hundreds of times better.

I use this analogy because there is some evidence that limitations
on short-term memory account for a variety of cognitive limitations,
among which may be programming.  Ultimately, it may the limitations of
the human mind that prevent us from forever expanding our achievements.

   How many programmers, even ones working on life-critical software like
   airliner flight control or fiercely difficult problems like
   ballistic-missile defence, have the kinds of electronic and human
   support that these thoughts suggest are possible?

That's easy.  Not many.  Indeed, military software procurement is by
all accounts an utter mess.

------------------------------

Date: Mon, 7 Apr 86 09:43:05 cst
From: preece%ccvaxa@gswd-vms (Scott E. Preece)
To: [email protected]
Subject: Request for information about military battle software

> [Parnas, quoted by Dave Benson]

> The other members of the SDI advisory panel that David Parnas was on
> and other public figures have said "Why are you so pessimistic?  You
> don't have any hard figures to back up your claims."  Parnas agreed
> that he didn't have any until he thought of the only one that he
> needed: ZERO.  ZERO is the number of real systems that were trustworthy
> at first use.  ZERO is the number of real systems that met unknown
> requirements at first use.  ZERO is the number of prototyped systems
> that worked at first use.  ZERO is the number of simulated systems that
> worked at first use.  ZERO!
----------
There are two essential, undefined terms in this statement: "first use"
and "worked".  The shuttle Enterprise, for instance, worked the first
time they dropped it from its carrier 747.  Was that its "first use", or
do you count the many hours of simulation preceding that first flight?
I wasn't there and have no idea whether there were bugs that showed up,
but they clearly didn't keep the test from succeeding.  Is that
"working"?

The trouble with a debate like this is that it tends to force people
more and more into idiotic dichotoomized positions.  SDI software would
obviously be a huge challenge to produce and validate.  I have no hope
it would work perfectly the first time used; I have no reason to believe
it wouldn't work partially the first time it was used.  The question of
how perfectly it has to work is the central one.  All the reports I've
seen on both sides, including Parnas's essays, are hand waving.  The
task is too ill defined to be making statements about whether it can be
done.  The debate is silly.  If you build the thing, you don't trust
your security to it until you have been damned well convinced that it
works; I am unwilling to accept the statement that "You can never be
convinced that it works," when daily we all trust our lives dozens of
times to things that we have been convinced work.  There are plenty of
good and, I think sufficient, arguments for not building SDI without
claiming that it can't be done.

--
scott preece
gould/csd - urbana
ihnp4!uiucdcs!ccvaxa!preece

------------------------------

Date: Tue 8 Apr 86 11:06:41-CST
From: Werner Uhrig  <[email protected]>
Subject: Aviation Week Technical Survey:  AI & Aviation
To: [email protected], [email protected]
Message-ID: <[email protected]>

[ I am sure, readers of AVIATION and RISKS are interested also;
 for somewhat different reasons, of course ....                ---Werner ]

               ---------------

Date: Wed 26 Mar 86 09:08:28-PST
From: Oscar Firschein <[email protected]>
Subject: Aviation Week Technical Survey


AILIST readers might be interested in the following:

Aviation Week and Space Technology, Feb. 17, 1986 has a technical
survey of artificial intelligence, mostly applied to military
applications.  Included are the DARPA-supported programs in Pilot's
Associate and the Autonomous Land Vehicle (ALV) and the VLSI lisp
machine being built by Texas Instruments.

Company profiles include McDonnell Aircraft's work in the Pilot's
Associate and avionics maintenance expert system; Boeing's AI Center;
MITRE's work in natural language understanding; Grumman's decision
support systems; Hughes AI center; and Westinghouse avionics
troubleshooting expert system.

------------------------------

End of RISKS-FORUM Digest
************************
-------

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.