Subject: RISKS DIGEST 10.26 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 29 August 1990 Volume 10 : Issue 26 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Stonefish - the software strikes back? (Pete Mellor) Computers at the Campus Bookstore (Gary McClelland) Reverse Engineering - not always a copyright issue (Joe Morris) Re: Electronic house arrest units (Martin Minow) Re: Proposed ban on critical computerized systems (Perry Morrison MATH) Caller ID Discussion List Started (Bruce Klopfenstein) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]GET RISKS-i.j ; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory listing of back issues. ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. THE MOST RELEVANT CONTRIBUTIONS MAY APPEAR IN THE RISKS SECTION OF REGULAR ISSUES OF ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, UNLESS YOU STATE OTHERWISE. ---------------------------------------------------------------------- Date: Wed, 29 Aug 90 22:40:52 PDT From: Pete Mellor Subject: Stonefish - the software strikes back? >From Channel 4 news last night (Tue. 28th Aug.): It is reported that Iraq may be deploying some of the Royal Navy's latest high-tech weaponry. Apparently this is causing US commanders to be reluctant to send aircraft carriers into the northern area of the Gulf. The villain of the piece is the smart mine 'Stonefish', developed by Marconi Underwater Systems under contract to the Royal Navy. This little charmer is so cute it listens to the engine noise of ships passing overhead, and can tell what type of vessel is within range. It 'hides' from minesweepers, and blows the backside off anything else. At the heart of the system is (you've guessed it!) 'highly sophisticated and classified' *software*. The Channel 4 investigators have in their possession the 'Technical Description and Specification' of Stonefish. The cover sheet and first few pages of this document were actually shown on screen, and looked pretty authentic, with the Marconi logo and classification 'UK restricted: commercial in confidence' clearly visible. C4's copy, however, comes not from Marconi's Watford HQ, but from a source not a million miles removed from Cardoen International, a Chilean firm (no boring restrictions on arms sales there!) described by an expert from Jane's as being specialists in the 'laundering' of military technology for the benefit of third world countries (at least, those with adequate oil revenues to pay for it). Cardoen has well-established links with Iraq. The implication is not that Stonefish has been sold bundled to Iraq, but enough technical information is in dubious hands for the Iraqis to have a good go at building a look-alike. Carlos Cardoen, filmed at a news conference, said that he had a very close relationship with Marconi, and some of their guys had visited him. Marconi said 'We have no relationship with Cardoen.' and refused to be interviewed. An expert from an outfit called something like 'Naval Weapons Review' gave it as his opinion that Iraq probably has 'a limited number of quite sophisticated mines', but implied that we shouldn't worry too much, since 'the Navy would not let a UK contractor simply hand over the software for a weapons system'. So there you have it. Saddam Hussein is in the Stonefish plug-compatible market, but our Navies are safe provided he can't get his hands on the operating system. All of which prompts me to wonder:- 1. If the Iraqis have the software for a 'limited number' of mines, why haven't they got enough for an unlimited number? (Perhaps the blockade is working, and they haven't got enough floppy disks to make the copies. :-) 2. How does Stonefish 'hide' from a minesweeper? The cylindrical object shown in the newsreel shots doesn't look as though it is capable of crawling under a rock. Perhaps it just switches off its disk drive to stop the noise and pretends to be an oil-drum. :-) 3. How reliably can Stonefish identify ships by their engine noise signature? What happens if your cruiser's big ends are rattling? 4. Does Stonefish rely on some sort of sonar transponder to distinguish friend from foe? (Remember the Falklands helicopter!) 5. What are the chances that Iraq already has the software? (After all, we all know Arabs can't write programs, and software is rather difficult to smuggle through customs. :-) 6. The sophistication of Stonefish's recognition system argues for some kind of artificial intelligence. If it's that smart, would it know who was winning and change sides accordingly? :-) 7. Isn't it time that Jane's produced 'All the World's Software'? Peter Mellor, Centre for Software Reliability, City University, Northampton Sq. London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 p.mellor@uk.ac.city (JANET) ------------------------------ Date: 28 Aug 90 22:49:00 MDT From: "Gary McClelland" Subject: Computers at the Campus Bookstore RISKS readers will recognize this as an old risk but it made this academic chuckle as we begin another semester. The computer at the campus bookstore prints out a tag for each required textbook indicating the course number, instructor, number of copies ordered, etc. Given that textbooks are often used by more than one course, the computer kindly prints out a cross-list of other courses using the same text. One card caught my eye with its unusually long list of cross-listings. Curious as to what textbook was so popular this term, I looked closer to see the title. Being an author I had hopes that maybe it was mine :-) Alas, the title of this very popular text was NO TEXT REQUIRED. I wonder who gets the royalties on that textbook? :-) --Gary McClelland, U. of Colorado ------------------------------ Date: Mon, 27 Aug 90 15:43:04 EDT From: Joe Morris Subject: Reverse Engineering - not always a copyright issue There have been several RISKS submissions recently discussing the legal status of reverse-engineering of copyrighted material. Reading them, however, one could easily conclude that copyright law is the only governing issue involved. It isn't: in fact, most of the products I've seen (both mainframe and personal computer) assert not only copyright but also contract rights. For example, IBM's FY90 GSA schedule in Special Item 132-30, section 4(a)6 (page 44) includes the item: (6) The Government shall not reverse assemble or reverse compile the licensed programs in whole or in part. Almost all vendors have a corresponding clause in their software license agreements, so the question of copyright law permitting reverse engineering is usually moot. Of course, we now have the issue of deciding which parts of the contract are legally enforcable. (Cf. Vault v. Quaid, in which my memory says the court held that the shrink-wrap "license contract" in PC software was unenforcable.) Shakespeare was right: shoot all the lawyers. ------------------------------ Date: Mon, 27 Aug 90 13:02:55 PDT From: "Martin Minow, ML3-5/U26 27-Aug-1990 1421" Subject: re: Electronic house arrest units It was somewhat disturbing to discover that all of the people who took time to comment on the "electronic house arrest" units focussed on the technology, and none apparently noticed that this is a safety-critical application. I.e., failure of the system may lead to the re-incarcenation of a parolee. I would feel more comfortable if our court/prison/parole system were funded in such a way as to permit personal contact between the parolee and parole officer. Martin Minow ------------------------------ Date: 28 Aug 90 04:33:45 GMT From: pmorriso@gara.une.oz.au (Perry Morrison MATH) Subject: Proposed ban on critical computerized systems (Cameron, RISKS-10.24) Organization: Uni. of New England, Armidale, NSW. #On page 63 of the August 1990 _World_Press_Review_: #"Unreliable Computers", by Nick Nuttall, "The Times," London #Two Australian scientists are calling for a world-wide ban on the use of #computers in sensitive areas, such as hospital intensive-care wards, the #nuclear-power industry, air-traffic control stations, and early-warning defense #systems. The reference is- Forester, T., & Morrison, P. Computer Unreliability and Social Vulnerability, Futures, June 1990, pages 462-474. # 22 fatal crashes of the Black Hawk helicopter -- #which flies by computer -- used by the U. S. Air Force We refer to the death of 22 *servicemen* in *5* blackhawk crashes since 1982. Our reference is B. Cooper and D. Newkirk, Risks, November 1987. We didn't have a vol or issue no. If this is incorrect, please let us know. Perry Morrison [The item was from RISKS-5.58 (15 November 1987). It reappeared in in Software Engineering Notes, vol 13, no 1 (January 1988), page 7. The original source was a wire service report from 12 November 1987. The RISKS issues on the Black Hawk also included RISKS-5.56 (9 Nov 87), 5.59 (16 Nov 87), and 5.60 (18 Nov 87). I hope that helps. PGN] ------------------------------ Date: 23 Aug 90 00:55:15 GMT From: klopfens@bgsuvax.UUCP (Bruce Klopfenstein) Subject: Caller ID Discussion List Started Newsgroups: comp.risks,comp.society.futures,misc.legal Date: Tue, 21 Aug 90 9:31:25 EDT From: Telecom Privacy List Moderator To: telecom-priv@PICA.ARMY.MIL Subject: Telecom Privacy List Hello, Everyone. The caller id list is now up and running. I have anout 35 names on it currently. The address is telecom-priv@pica.army.mil Currently, the list will not be moderated or digestified. This might change due to volume. On Caller-Id .... I believe it should be available, however the following should apply: 1) It should be blockable at no charge for any number. 2) Name or address (or the fact it is a pay phone) should be made available. 3) Actual calling number should be used not billing number. 4) Under no circumstances should a third number be used shown as the actual calling number (i.e. Law Enforcement Officer dailing from one number having the id number showing up as a different number). Optional - Show if number is listed as residental or business. Dennis -- Bruce C. Klopfenstein | klopfens@barney.bgsu.edu Radio-TV-Film Department | klopfenstein@bgsuopie.bitnet 318 West Hall | klopfens@bgsuvax.UUCP Bowling Green State University | (419) 372-2138; 372-8690 Bowling Green, OH 43403 | fax (419) 372-2300 [We've probably had enough on this issue in RISKS, so here is a new outlet. I've also been rejecting ATM and Electronic house arrest items unless they are particularly cogent. PGN] ------------------------------ End of RISKS-FORUM Digest 10.26 ************************