20-Sep-86 09:00:05-PDT,15789;000000000000

20-Sep-86 09:00:05-PDT,15789;000000000000
Mail-From: NEUMANN created at 20-Sep-86 08:58:08
Date: Sat 20 Sep 86 08:58:08-PDT
From: RISKS FORUM (Peter G. Neumann -- Coordinator) <[email protected]>
Subject: RISKS-3.59
Sender: [email protected]
To: [email protected]

RISKS-LIST: RISKS-FORUM Digest, Saturday, 20 September 1986 Volume 3 : Issue 59

FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
Computers and Wall Street (Robert Stroud)
Report from the Computerized Voting Symposium (Kurt Hyde)
Computers, TMI, Chernobyl, and professional licensing (Martin Harriman)
Failsafe software (Martin Ewing)
Software vs. Mechanical Interlocks (Andy Freeman)
How Not to Protect Communications (Geoff Goodfellow)

The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
(Contributions to [email protected], Requests to [email protected])
(Back issues Vol i Issue j available in CSL.SRI.COM:<RISKS>RISKS-i.j.
Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.)

----------------------------------------------------------------------

From: Robert Stroud <robert%[email protected]>
Date: Thu, 18 Sep 86 14:07:59 gmt
To: [email protected]
Subject: Computers and Wall Street

I came across an article in Computing which gives more details about the
way in which computer systems are influencing the stock market. It suggests
that dealers are forced to rely on the "intuition" of their system, even
against their better judgement, for fear of being caught out. Personally
I find this trend very alarming, but perhaps the fluctuations on the stock
market are just "noise" with no lasting influence on the real economy.
Unfortunately, the "noise" can be heard around the world.

Robert Stroud,
Computing Laboratory,
University of Newcastle upon Tyne.

ARPA robert%[email protected] (or ucl-cs.ARPA)
UUCP ...!ukc!cheviot!robert

----------------------------------------------------------------------------
Reproduced without permission from Sep 18th Computing, (c) Computing.

"Technology led Wall Street to drop prices" by Alex Garrett

The crash in prices which wiped a record amount off the value of shares
on Wall Street last week was largely the result of computerised dealing
systems failing to read the market.

Computer generated selling of shares was estimated to account for almost
50% of the transactions that caused a record volume of 240 million shares
to change hands last Friday. But it is believed that the effect of the
computers was to exaggerate the underlying movement in the market, so
that many shares were sold unnecessarily.

The problem has arisen as a number of factors conspired to make the US
stock markets subject to increasing fluctuations, which in turn has caused
stockbrokers to rely far more heavily upon the split-second advice of their
computer systems. In particular, many systems are triggered by a drop in
share price to instruct a dealer to sell, and he will often do so, even against
his better nature, for fear of being caught out.

... this kind of feature has yet to be adopted in the UK.

Ian Reid ... said that although shares will often recover their price within
a short time, some of the computer systems in the US do not have the intuition
to see this.

------------------------------

Date: Friday, 19 Sep 1986 11:37:13-PDT
From: hyde%[email protected] (Jekyll's Revenge 264-7759 MKO1-2/E02)
To: [email protected], self%[email protected]
Subject: Report from the Computerized Voting Symposium

Belated Report from the Symposium on Security and Reliability of
Computers in the Electoral Process -- August 14th & 15th, 1986

The participants came from many backgrounds, computer people, writers,
attorneys, and even one Secretary of State. Some of the highlights
emphasized by one or more speakers were:

o Lever voting machines are still the fastest way to count
votes. The computerized vote counting machines are slower
than lever machines, but faster than paper ballots.

o Lever voting machines still appear to be the safest way to
count votes.

o The State of Illinois tested its computerized voting
equipment and found numerous instances of errors in vote
counting, primarily in undervotes, overvotes, and straight
party crossovers.

NOTE: An undervote is voting for fewer candidates than the
maximum allowed for an office. An overvote is voting for
more candidates than allowed for an office. A straight party
crossover is casting a vote to be applied to all members of a
party and then switching one or more votes to candidates from
another party.

o A group of Computer Science students at Notre Dame (South
Bend, IN) tested a punch card voting system with a group of
test ballots. By altering only the control cards they were
able to manage the vote totals to predictable incorrect
totals.

Some of the recommendations made by one or more speakers were:

o Five percent of all votes cast should be recounted by
different method than the original count.

o Security standards for computerized voting are needed
immediately. The expanding use of computerized vote counting
equipment may preclude an effective implementation of such a
standard.

o Punch card ballots should be redesigned to make the punch
card into a ballot that is readable by the voter as well as
by the computer.

o Internal procedures of computerized voting equipment must be
open to the public in order to let the public be in control
and to assure public confidence in the electoral process.

o Computerized voting equipment must have the capability of
allowing the voter to monitor the ballots cast by the
computer to be sure it has voted as instructed.

o There should be public domain vote counting software in order
that companies not have to keep their programs for
proprietary ownership reasons.

NOTE: Does anyone know of a Computer Science student looking
for a project? I'm willing to share my notes.

Is there anyone with the resources to build prototypes that
have security features, such as voter-readable punch cards or
a computer-generated, recountable ballot?

Bill Gardner, New Hampshire's Secretary of State, informed us that New
York City is planning to purchase new voting equipment. This is
likely to become a de facto standard for New York State and, possibly,
for whole the nation. Risks Forum people who'd like to contact the
New York City Task Force should contact:

David Moscovitz
New York City Elections Project
2 Lafayette Street, 6th Floor
New York, NY 10007
(212) 566-2952

The results of my informal poll on trusting a computerized voting
system:

Trust Not Trust Undecided

(1) Internal Procedures secret 2/40 38/40 0
Results not monitored by voter

(2) Internal Procedures Revealed 6/40 34/40 0
Results not monitored by voter

(3) Internal Procedures secret 10/40 28/40 2/40
Results can be monitored by voter

(4) Internal Procedures Revealed 24/40 11/40 5/40
Results can be monitored by voter

------------------------------

Date: Wed, 17 Sep 86 09:42 PDT
From: Martin Harriman <MARTIN%SRUCAD%[email protected]>
To: [email protected]
Subject: Computers, TMI, Chernobyl, and professional licensing

The NRC does require testing and certification of the software used in the
design of nuclear power plants: this includes the software used for seismic
simulations, fueling studies, and simulations of coolant behavior (which
can get quite complex in BWR designs).

The reactors themselves are designed to be stable, so they do not require
a complex control system for safe operation (unlike military aircraft with
negative aerodynamic stability). Incidentally, the feedback mechanisms
used to produce stability in US reactor designs are missing from graphite
moderated, water damped designs like Chernobyl; this lack of stability
contributed to the initial explosion at Chernobyl.

Professional licensing is state-regulated; I'm not aware of any states with
a professional engineer exam for software engineers. I don't believe that
professional licensing is all that useful; I'm more interested in quality
assurance for safety-related software (and hardware) than in ensuring that
some fraction of the people developing the software passed an examination.
It would be fairly amusing if PE registration became popular with software
engineers, since it would mean they would all need to learn a fair chunk
of civil engineering (the Engineer In Training exam requires it).

--Martin Harriman <martin%[email protected]>

------------------------------

Date: Thu, 18 Sep 86 09:57:27 PDT
From: mse%[email protected] (Martin Ewing)
Subject: Failsafe software
To: arms-d%[email protected],
risks%[email protected]

How can we even dream of SDI or fly-by-wire aircraft when I just received
12 nearly identical copies of the last ARMS-D mailing, at 33 KB a crack?

Seriously, this is an example of failsafe: if some transmission error
occurs before a message transmission is complete, send it again, and again,
and again... And no one is even shooting at the net, as far as I know.

Martin Ewing

------------------------------

Date: Thu 18 Sep 86 10:16:01-PDT
From: Andy Freeman <[email protected]>
Subject: Software vs. Mechanical Interlocks
To: [email protected]

One current advantage of mechanical interlocks is that they can (usually) be
bypassed or modified in the field. If I went on a special toss-bombing
mission, I'd be much happier hearing "the mechanical upside-down
bomb-release interlock has been removed" than "we just patched out that
section of the code and burned a new prom".
-andy

------------------------------

Date: 20 Sep 1986 06:52-PDT
Subject: How Not to Protect Communications
From: the tty of Geoffrey S. Goodfellow <Geoff @ csl.sri.com>
To: [email protected]
Cc: [email protected]

[The New York Times, September 13, 1986]

BALTIMORE - The Senate should avoid repeating the mistake made by the
House when it unanimously passed the Electronic Communications Privacy
Act. Purportedly a benign updating of the 1968 Federal wiretap law
designed to guarantee privacy in the electronic age, the bill actually
promotes the cellular telephone industry at the expense of the public
good.

True enough, obsolete language in the existing wiretap law fails to
address digital, video, and other new forms of communications. The
proposed law would fix that. But it would also declare certain
communications legally private regardless of the electronic medium
employed to transport them. The mere act of receiving radio signals,
except for certain enumerated services like commercial broadcasts, would
become a federal crime.

To disregard the medium is to ignore the essence of the privacy issue.
Some media, such as wire, are inherently private. That is, they are
hard to get at except by physical intrusion into a residence or up a
telephone pole. Others media, notably radio signals, are inherently
accessible to the public. Commercial radio and television broadcasts,
cellular car telephone transmissions and other "two-way" radio
communications enter our homes and pass through our bodies. Cellular
phone calls, in fact, can be received by most TV sets in America on UHF
channels 80 through 83.

If radio is public by the laws of physics, how can a law of Congress
say that cellular communications and other forms of radio are private?
The unhappy answer is that the proposed law appears to be a product of
technological ignorance or wishful thinking. A similar edict applied to
print media would declare newspapers, or portions of them, to be as
private as first class mail. The result is plainly absurd and contrary
to decades of reasonable legislative and judicial precedent.

In contrast, present Federal statute prescribes a sensible policy for
oral communications, protecting only those "uttered by a person
exhibiting an expectation that such communication is not subject to
interception under circumstances justifying such expectation." To
illustrate, a quiet chat in one's parlor would likely be protected.
Substitute for the parlor a crowded restaurant or the stage of a packed
auditorium, the expectation of privacy is no longer justified. The law
would not grant it.

Congress should apply this same logic to electronic communications.
The broadcasting of an unencrypted radio telephone call, or anything
else, is an inherently public act, whether so intended or not. Thus it
violates the "justifiable expectation" doctrine, and warrants no Federal
privacy protection.

Protection or no, people will not be stopped from receiving radio
signals. Even Representative Robert W. Kastenmeier, Democrat of
Wisconsin, who championed the bill in the House, confesses that its
radio provisions are essentially unenforceable. They will have no
deterrent effect, and they will not increase the privacy of cellular
phone calls or other broadcasts. Worse, the act would lull the public
into a false presumption of privacy.

On further examination, it appears that the legislation is really more
a sham than an honest, if puerile, attempt by Congress to deal with new
technology. Its sponsors say they aim to protect all electronic
communications equally. Yet the bill sets out at least four categories
of phone calls, with varying penalties for interception. Cellular radio
calls are guarded by threat of prison, but there is no interdiction
whatsoever against eavesdropping on "cordless" telephones of the sort
carried around the apartment backyard.

So Congress is about to give the cellular telephone industry ammunition
for advertising and bamboozling, promising privacy that does not
actually exist. Cellular service companies thereby hope to avoid losing
revenue from customers who might use the service less if they understood
its vulnerability.

If Congress were serious about privacy in the communications age, it
would scrap the Electronic Communications Privacy Act and begin anew.
Legislators and the public must first grasp the true properties of new
technologies. Are those properties inadequate or unsavory? If so,
relief will only come from research and more technology not wishful
legislation.

------------
Robert Jesse is a technology consultant. [known to us all as rnj@brl]

------------------------------

End of RISKS-FORUM Digest
************************
-------