RISKS-LIST: RISKS-FORUM Digest Monday 6 June 1988 Volume 7 : Issue 4
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Review article on privacy/civil liberties risks in CACM (Jon Jacky)
RISKS of wrong numbers and tigers (Steve Nuchia)
Academic Assignment of Viruses (Bill Murray)
Peter J. Denning on Terminology (Bill Kinnersley)
COMPASS '88 PROGRAM (Frank Houston)
Halon agreement and the ozone models (Rob Horn)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
Contributions to
[email protected], Requests to
[email protected].
PLEASE use a relevant "Subject:" line, not just "RISKS DIGEST i.j...". THANKS.
For Vol i issue j / ftp kl.sri.com / get stripe:<risks>risks-i.j ... .
Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).
----------------------------------------------------------------------
Date: Sun, 05 Jun 88 17:32:33 PDT
From:
[email protected] (Jon Jacky)
Subject: Review article on privacy/civil liberties risks in CACM
Many readers of this digest will be interested in the article, "Information
technology and dataveillance," Roger A. Clarke, Communications of the ACM,
31(5): 498 - 512, May 1988. This is a long review with 78 references.
The author defines "dataveillance" to mean the systematic use of computing
technology in the investigation or monitoring of the actions or
communications of one or more persons. He distinguishes betwen "personal
surveillance" - surveillance of an identified person, where there is a
specific reason for the investigation, and "mass surveillance" - surveillance
of large groups of people in order to identify individuals who might be of
interest to investigators. The author concludes that computing technology
is making it much easier to perform both kinds, a lot of it is going on
and more can be expected.
The author says he does not argue that surveillance
is intrinsically evil or that it should be ruled out altogether, but
argues that much of what is in fact now going on is in general a bad thing,
especially the mass surveillance. He concludes that privacy and civil
liberties protections in place in most countries are inadequate to protect
against these new surveillance techniques. The author says that he feels
people working in computing, due to their special knowledge, have some
special responsibility to consider privacy implications of their work,
evaluate safeguards, and lobby for effective ones.
- Jon Jacky, University of Washington
------------------------------
Date: 4 Jun 88 18:32:45 GMT
From:
[email protected] (Steve Nuchia)
Subject: RISKS of wrong numbers and tigers
Organization: Public Access - Houston, Tx
(Paraphrased from The Houston Post, 29 April)
A local newscast carried a story on a Herpes research project under way at
Baylor College of Medicine, and displayed a phone number for volunteers to call
- with appropriate assurances of confidentiality.
Not only was it the wrong number, it was the number for the "back door" to the
public address system at Baylor (No indication of how large an area was covered
- it is a big place.)
The callers, hearing a pick up but no answer "assumed it was an answering
machine" and "gave their names, phone numbers, everything."
I believe this points up an important "human factor." People are a lot less
cautious when they initiate a contact than when they are contacted. This
explains the easy success of the typical "service spoof" attacks - password
harvesters and "night deposit box out of order" scams. I don't have a magic
answer for designers of services - it is very hard to design a service that is
at all hard to spoof if the clients aren't at least a little bit cautious.
Second item:
One of the tigers went through a window in a door and killed an employee. It
was at night and the public would not have been in immediate danger even in the
daytime, but the incident nevertheless caused quite a ruckus.
The firm that designed the enclosure stated that the door design, including the
window pane used, was "standard" for that kind of application. The tiger had
no trouble going through it, and there was no indication that it was defective,
nor that any other tiger would have had any trouble going through any other
door of like design.
(Zoo officials have the big cats in holding cages while the window materials
used in the (relatively new) cat facility are tested - by swinging miniature
wrecking balls into them. The cat facility is a modern close-contact one - you
can routinely find one of the lionesses sleeping against a window with the
public on the other side - in a tunnel.)
Apparently quite a few nominally professional people in the world think that
standards excuse them from thinking. Perhaps that explains the popularity of
standards?
Applicability to computers? Gee, there aren't any people clamoring for
standards in the computer industry, are there?
Steve Nuchia uunet!nuchat!steve (713) 334 6720
[Yes, but we've always had tiger teams trying to break system security. PGN]
------------------------------
Date: Sun, 5 Jun 88 10:25 EDT
From:
[email protected]
Subject: Academic Assignment of Viruses
A society that depends upon any mechanism for its own proper functioning,
cannot tolerate, much less encourage, any tampering with the intended
operation of that mechanism.
Therefore, one is tempted to rise up in indignation at the idea of a qualified
academic assigning a virus to his students. The next thing you know, they will
be assigning plagiarism. How about the forgery of academic credentials?
Perhaps we should offer a course in how to falsify research results. Or,
perhaps, on how to trash another's experiments, notes or reports.
Perhaps it is a sign of immaturity that we are unable to recognize the moral
equivalency. I will leave open the question of whether the immaturity is in
the technology, the society, or academia.
I thought that we put this issue to bed several years ago when we stopped
assigning the breaking of security. It seems that we did not.
For an academic to be unable to recognize that assignments, and the recognition
that goes with their successful completion, encourages the behavior assigned,
demonstrates a lack of understanding of the activity in which he is engaged.
If he understands it, and still makes such an assignment, he demonstrates a
lack of understanding of where his real interest rests.
Such irresponsible behavior may account, in part, for the anti-academic bias in
our society and for the manifest distrust of the scientific establishment. It
is of little wonder that the citizens of Cambridge, Massachusetts are reluctant
to trust the likes of these with genetic engineering.
If there is any lesson that we should have learned from the computer, it is
that understanding the effects of what we intend for it to do is a daunting
task. Even getting it to do what we intend is not trivial. It seems to me,
that there is plenty of material here for assignments; we need not look to
assignments which are at best trivial, and at worst, dangerous.
William Hugh Murray, Fellow, Information System Security, Ernst & Whinney
2000 National City Center Cleveland, Ohio 44114
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
------------------------------
Date: Mon, 6 Jun 88 12:02:13 mdt
Sender: Virus Discussion List <VIRUS-L%
[email protected]>
From: Bill Kinnersley <iphwk%
[email protected]>
Subject: Peter J. Denning on Terminology
Subscribers to this list may be interested in the recent article
"Computer Viruses" by Peter J. Denning in the American Scientist, vol 76
page 236. In particular, he discusses terminology. Paraphrasing his
definitions:
1) Worm - a program that invades a workstation and disables it.
<one copy per machine, RAM resident, self propagation via network>
2) Trojan horse - a program that performs some apparently useful
function, but containing hidden code that performs an
unwanted malicious function.
<file resident, propagation by unwitting human beings>
3) Bacterium - a program that replicates itself wthout bound,
thereby preempting the resources of the host system.
<many copies per machine, RAM resident, self propagating>
4) Virus - a program that incorporates copies of itself into the
machine code of other programs, and when those programs
are invoked, performs a malicious function.
<two phase life cycle - RAM form with self propagation,
file form with human propagation>
Denning points out that these types often occur in combination.
A Trojan Horse is the most common means of originally introducing a
virus into a system. For example, a Trojan Horse compiler can attach
a copy of the virus code to its output.
Defence against computer viruses comes out sounding like a message
from the Surgeon General. Practice digital hygiene yourself. Don't
exchange programs with anyone whose computer habits are not up to
your own standards. Refuse to use software if the manufacturer's
seal has been broken!
Maybe we need a "Centers for Computer Disease Control".
[No comments on the last sentence, please. Recent
issues of RISKS have beaten that idea to death. PGN]
------------------------------
Date: Thu, 2 Jun 88 12:46:15 edt
From:
[email protected] (Frank Houston)
Subject: COMPASS '88 PROGRAM
*****************************************
* *
* COMPASS '88 *
* JUNE 27th - July 1st, 1988 *
* *
* NATIONAL BUREAU OF STANDARDS *
* Gaithersburg, MD *
* *
* ADVANCE PROGRAM *
* *
*****************************************
* MONDAY, 27 JUNE 1988 *
Meeting of the Tri-services Software Safety Working Group
* TUESDAY, 28 JUNE 1988 *
0730 REGISTRATION
0900 CALL TO ORDER
General Chair---CDR Mike Gehl, Office of Naval Research
0910 OPENING REMARKS
Honorary Chair---Helen Wood, Deputy Director, Institute for
Computer Sciences and Technology, National Bureau of Standards
0930 PROGRAM OVERVIEW
Program Chair---Janet Dunham, Research Triangle Institute
0940 INTRODUCTION OF KEYNOTE SPEAKER AND PANEL
Chair, COMPASS Board---H.O. Lubbes, Space and Naval Warfare
Systems Command
0950 KEYNOTE ADDRESS
Chair, Keynote Panel---Dr. Roger McCarthy, Failure Analysis, Inc.
"THE PRESENT AND FUTURE SAFETY CHALLENGES OF COMPUTER CONTROL"
1100 COFFEE BREAK
1130 KEYNOTE DISCUSSION
PANEL: Herb Hecht, SoHAR, Inc.
Peter Neumann, SRI International
Jim Treacy, Federal Aviation Administration
Andres Zellweger, Computer Technology Associates
William J. Rodda, DELCO Electronics Corp.
1300 LUNCH BREAK
1430 RISKS AND BENEFITS
Chair---Janet Dunham, Research Triangle Institute
* "The Computer Related Risk of the Year: Computer Abuse"
Peter Neumann, SRI International.
* "Alzheimer's Patient Monitoring System"
Doris Rouse, Research Triangle Institute
* "Advance Computations into the Third Millenium"
James P. Farell
1530 COFFEE BREAK
1600 WHAT IS SOFTWARE SYSTEMS SAFETY?
Chair---Al Friend, Space and Naval Warfare Systems Command
* "Software Systems Safety and Human Error Avoidance"
Mike Brown, Naval Surface Warfare Center
* "A Definition of Process Security"
John McDermott, Naval Research Laboratory
* "Definitions and Requirements for Distributed Real-Time Systems"
Christina Berggren, IBM System Integration Division
* "An Approach to Software Safety Analysis in a Distributed
Real-Time System"
Sang H. Son and Chun-Hyon Chang, University of Virginia
and Paul V. Shebalin, ORI
1730 ADJOURN
1900 BANQUET
* "Stalking the Wily Hacker"
Cliff Stoll, Lawrence Berkeley Laboratories
* WEDNESDAY, 29 JUNE 1988 *
0900 RELIABILITY AND SECURITY OF VOTE COUNTING SYSTEMS:
Chair---Lance Hoffman, George Washington University
Panel: Roy Saltman, National Bureau of Standards
Emmett Fremaux, Jr., District Board of Elections and Ethics
Peter Neumann, SRI International
1000 ENGINEERING ERROR FREE SPECIFICATIONS
Chair---Sam DiNitto, RADC
* "Overview: Complementary Completeness"
Sam DiNitto, RADC
* "Early Detection of Requirements Specification Errors"
Paul C. Jorgensen, Arizona State University
* "Reliable Software Specification"
John McLean, Naval Research Laboratory
* "An Investigation of the Reliability of a Software
Specification"
Janet Dunham, Research Triangle Institute
1100 COFFEE BREAK
1130 DESIGNING SAFETY CRITICAL SYSTEMS
Chair --- Peter Neumann, SRI International
* "Designing Safety Critical Systems: The Viper Microprocessor"
Dr. John Cullyer, Royal Signals and Radar Establishment
* Question and Answer Session
1300 LUNCH BREAK
1430 SOFTWARE PRODUCT ASSURANCE: TECHNIQUES FOR REDUCING SOFTWARE RISK
Chair---Dolores Wallace, National Bureau of Standards
* "Software Product Assurance: Reducing Software Risks in
Critical Systems"
William Bryan and Stanley Siegel, Grumman Corporation
"FIPS 132/IEEE 1012 SVV Plans Standard"
Dolores Wallace, National Bureau of Standards
1600 COFFEE BREAK
1630 VERIFICATION, TESTING, AND ANALYSIS
Chair---Michael Brown, Naval Surface Warfare Center
* "Predicting Computer Behavior"
Don Good, Computational Logic, Inc.
* "On Back to Back Testing"
Mladen Vouk, North Carolina State University
* "A Static Scheduler for the Computer Aided Prototyping System"
Dorothy Janson and Prof. Luqi, Naval Post Graduate School
* "The IBM Software Quality and Productivity Program"
Anne Martt, IBM Houston
1800 ADJOURN
* THURSDAY, 30 JUNE 1988 *
0900 SOFTWARE SAFETY MODELING AND MEASUREMENT
Chair---Herb Hecht, SoHaR
Panel: Jerry Mauck, Nuclear Regulatory Commission
Douglas R. Miller, George Washington University
Dev Raheja, Technology Management, Inc.
1015 USE OF MODELING TOOLS: A VARIED APPROACH
Chair---Don Lee, Aerospace Corporation
Panel: Sal Bavuso, NASA-Langley Research Center
Nancy Leveson, University of California-Irvine
1100 COFFEE BREAK
1130 PANEL DISCUSSION: SAFETY REVIEW PROGRAMS
Chair---George Finelli, NASA-Langley Research Center
Panel: Mike Brown, Naval Surface Warfare Center
Frank Houston, Food and Drug Administration
Mike Dewalt, Federal Aviation Administration
1300 LUNCH BREAK
1430 CASE STUDIES: OPERATIONAL SAFETY AND PROCESS SECURITY CONSIDERATIONS
Chair---Dan Strub, U.S. Air Force
* "On Software Safety Management"
Jim Dobbins, Verilog
* "A Methodology for Analyzing Avionics Software Safety"
Bob De Santo, LOGICON, Inc.
* "A Case Study of System Integrity for Alcohol Taxation"
T. F. Buckley, P.W. Garratt, and T.G. Gough, Leeds Univ., U.K.
* "Update on the Safety Verification of the B1 Bomber"
Joe Cantu, Boeing Military Airplane Company
* "The Centaur Project"
Helen De Mao, Corporation for Studies and Analysis
1600 BREAK
1630 CASE STUDIES: ASSURING MEDICAL SOFTWARE
Chair---Frank Houston, Food and Drug Administration
* "A Methodology for Assuring Medical Software"
Roger Fujii, LOGICON
* "Formal Safety Analysis and the Software Engineering Process in
the Pacemaker Industry"
D. Santel, C. Trautman, and W. Liu, Medtronic, Inc
* Discussion/Question and Answer
1800 ADJOURN
* FRIDAY, 1 JULY 1988 TUTORIALS *
0900 Software Safety and Process Security in the Ada Reusable Software
Environment
E.V. Berard, EVB Software Engineering, Inc.
0900 Verification and Validation
Dolores Wallace, National Bureau of Standards
and Roger Fujii, LOGICON, Inc.
1200 ADJOURN
REGISTRATION--Preregistration closes 17 June 1988. On-Site registration
will begin on 28 June 1988 from 0730 to 0900 in the NBS Administration
Building. Persons attending the Tri-Service Software Systems Safety
Working Group may register there on 27 June 1988 between 1530 and 1730.
PARKING--Parking is available in the NBS Visitors Parking Lot adjacent to
the Administration Building.
TRANSPORTATION--For those attendees who will be driving, the National
Bureau of Standards is located on Clopper Road near the I-270 interchange
approximately 12 miles north of I-495 (marked "National Bureau of
Standards/ Clopper Road" for northbound travelers; or "National Bureau of
Standards/Route 124 Darnestown" for southbound travelers). For attendees
who do not wish to drive, the conference hotels are accessible from Dulles,
National and BWI airports by regular limosine service with no reservation
required. Also, NBS provides shuttle service to and from the Shady Grove
Metrorail Station (on the Red Line) on the quarter and three-quarter hour
(0815, 0845, ... 1715) from the West side KISS AND RIDE lot. COMPASS will
provide a shuttle morning and evening between NBS and the conference
hotels.
MEALS--The registration fee includes lunches on Tuesday, Wednesday, and
Thursday, and Dinner on Tuesday evening. Refreshments will be available at
all breaks.
FOR ON-LINE or hard-copy REGISTRATION FORMS, PLEASE CONTACT FRANK HOUSTON
[email protected] .
------------------------------
Date: Thu, 2 Jun 88 19:31:50 edt
From:
[email protected] (Rob Horn)
Subject: Halon agreement and the ozone models
The real risk with the freon-halon-ozone controversy is best
understood when you realize that the Third World countries were
major opponents to the production freeze. The major uses of
freons are:
1) Refrigeration
2) Manufacturing
3) Fire Protection (only about 10%)
Freons have been shown to be much cheaper and much safer than the
alternative technologies. Only recently have there been
indications that equally safe refrigeration technologies can be
practical, and these will be many times more expensive.
In the Third World refrigeration means much more than a cool car.
It can mean the difference between life and death. In food
production, refrigeration allows produce to reach markets, to be
stored safely. Without it (and most underdeveloped countries
lack adequate refrigeration) food spoils, farm incomes drop
dramatically, people go hungry, people starve. In medicine,
refrigeration means medicines that don't spoil and blood
transfusions. Lack of refrigeration means death. So the Third
World countries opposed the removal of freons. Why agree to many
thousands of deaths just to keep the Americans happy? The future
environmental destruction is a good reason, but with so much at
stake the evidence must be persuasive. Even with the new
technologies, they must weigh the huge increase in costs against
their limited incomes.
The evidence from the computer models is weaker than the press
reports indicate. The measurements of world ozone show an
*increase* of about 5% from 1960 to 1975 followed by a much
larger and faster decrease of about 15% since then. The computer
models do not predict or explain that increase. Their
predictions of what altitudes would have how much of a decrease
do not match the observed decreases. The models did not predict
the Antarctic `hole', although this has a tentative explanation.
I believe that the real deciding factor was the intuitive
decision by the negotiators that while the models were pretty
inaccurate, the measurement data was accurate enough to make the
trend very worrisome. The rapid action following confirmation of
the satellite data calibration is consistent with this. It also
is evidence of a cautious approach towards computer models. The
research level was dramatically increased, both into the
atmosphere and into freon substitutes, after the initial modeling
results were published. Freon uses with easy substitutions
(spray propellent) were eliminated in the US. Oddly, the
Europeans did not follow suit. The drastic changes were studied,
but no action taken until there was much more information.
The Montreal agreement also places real emphasis on more data gathering and
analysis following the agreed freeze and reduction in production. The
reduction goal can be met with changes in refrigeration and manufacturing
without any change in fire protection uses. The United States may move
internally for much larger reductions. The large chemical companies may decide
to switch production entirely when suitable substitutes are found. Dow has
announced its intention to completely phase out freon production. The
international agreement is to reduce somewhat, then wait for more evidence from
measurements.
Rob Horn
------------------------------
End of RISKS-FORUM Digest
************************