Subject: RISKS DIGEST 10.82 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 29 January 1991 Volume 10 : Issue 82 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Patriots: SDI, etc. (Dave Parnas, Nathaniel Borenstein, Phil R. Karn, Hans Mulder) Re: Patriots and electronic cash (Karl Kluge) Re: Electronic cash completely (David Lamb, Larry Nathanson, Randal L. Schwartz, K. M. Sandberg, Peter da Silva, Richard A. Keeney) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 10, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 28 Jan 91 23:21:58 EST From: parnas@qucis.queensu.ca (Dave Parnas) Subject: Re: Patriot Missile (Agre, RISKS-10.81) Phil Agre asked for comments about the "Patriot" missiles. There seem to be people around who are trying to exploit events in the Gulf War to revive SDI. Let's look at his remarks one at a time. >"The Patriot missiles genuinely seem to be working well, at least in the >desert environment." Actually, we have very little information about how well they are working. We know that they have had some successes and some failures but we have no idea how many Patriot's have been fired for each SCUD shot down. > Yet a few years ago the Patriot was the very prototype of the incompetent >high-tech military development program. Its testing in particular came in for >congressional ridicule. What happened? Among other things, it has been given a particularly easy job. It was originally developed as an anti-aircraft system, not an ABM system. In many ways the job of a terminal phase (point defense) ABM system (for incoming missiles or warheads in unpowered flight) is much simpler than the anti-aircraft task for which Patriot was first developed. Aircraft can take evasive action and use sophisticated devices to fool systems like Patriot. Older missiles such as the SCUD can do neither. I suspect that the Patriot is still not very effective on its original target, manned aircraft. The SCUD is an ideal target for the Patriot. As far as I can determine the key to the Patriot is the launcher, which has a sophisticated Phased Array Radar that can track incoming objects, backed up by a computer that can predict the future path of the object (assuming that it is not powered or steered). This is a rather simple job. The Patriot has an operator to determine whether an object being tracked is friend or foe and designate a target. The Patriot missile itself is launched on a path that will intercept the path of the incoming missile (another simple application of physics) and has a very simple homing system that is effective when (and if) it gets near its target. Were the target missile to change course drastically after launch, the Patriot missile would end up somewhere else. Some reports indicate that some Patriots have missed their targets and ended up where they did damage to the buildings that they were supposed to protect. (These are unconfirmed reports.) >According to its manufacturer and to various other experts quoted in the >press, its software was greatly improved through the application of software >technology developed for SDI. The design and production phase of the Patriot was completed in 1980, and the missile went into operational status in late 1984. Flight tests of the Patriot started in 1974. The development and manufacture tooling stage of the Patriot was completed in 1980, the year before Reagan took office. The SDI program was not announced until 1983. There was no SDI software technology to be applied to Patriot. In fact, I believe the reverse was true. SDIO funded Raytheon to see if the Patriot ideas could be used for the terminal phase components of SDI. If there was technology transfer, must have been from Patriot to SDI. Remember that SDI funds were to be used for "research" on the space-based shield; they were not to be used for improving other weapons. >These experts regard the success of the Patriot as evidence that the >SDI's software nay-sayers were wrong. Those experts had better go back and read what we "software nay-sayers" actually said. The objections that were raised were to the space based aspects of the system. I, and others, repeatedly said that the only place where something could be done was the terminal phase for the defense of important (hardened) targets. Terminal phase defense systems like Patriot can operate without the elaborate communication and synchronization that was envisaged for SDI and do not have to automate the decisions that would have to be automated for the space-based system. Terminal defense systems can have an operator who makes decisions that would have had to be automated in the space-based system. The range of terminal defense systems is rather limited and they cannot prevent the warheads of the incoming missile from detonating if intercepted. For SCUD missiles that carry conventional armaments this is not a serious problem. For the threat portrayed by SDI supporters it was a fatal weakness. Patriot is subject to all the known limitations of terminal phase defense systems. For example, the maximum range is reputed to be 70km and the effective range is reduced if the launcher is not near the projected impact point. We should never forget that the Patriot was about 19 years in development. (Remember former President Reagan's generous offer not to deploy SDI for 7 years!) The SCUD was first deployed about 1965 - Patriot about 19 years later. All RISKS readers should think about the advances that we have seen in 19 years. It should come as no surprise that the Patriot can sometimes destroy missiles that were deployed when its development began. The interesting question is what it would do against aircraft and modern weapons. Dave ------------------------------ Date: Mon, 28 Jan 1991 15:16:04 -0500 (EST) From: Nathaniel Borenstein Subject: Patriots: Reprogramming, SDI implications I heard this weekend on NPR that American & Israeli technicians are furiously working to reprogram the Patriots to be "more intelligent about people on the ground." It seems that nothing in the Patriot's programming informs it about the population (or lack thereof) in the area. The NPR report was unclear on what the differential actions would be, but I presume that it might have options regarding the moment of interception, and is being reprogrammed to favor intercepting when not directly over a populated area. Aside from being amazed that this was never taken into account in the first place, I'm awestruck that they're willing to reprogram the Patriot -- which seems, after all, to basically work -- right in the middle of the war! I know I feel like I'm living dangerously even when I install a new binary in peacetime... On the subject of "Does Patriot prove SDI could work?" I think the answer is a clear and resounding no. First of all, the Patriots can't even hit all the SCUD missiles. Letting 1 of every 10 SCUDs through is a big success, but letting 1 of 10 Soviet nuclear missiles in would be a disaster. Second, the SCUD is a relatively slow missile that follows a fixed trajectory; it would be useless against anything that can take evasive action, such as a Cruise missile, and you'd probably need some sort of AI-like techniques to predict the future trajectory of a Cruise taking evasive action. Finally, I heard an air force officer explaining on CNN the other day that the Patriots may never again be as useful as they are being in this war, because "now that their capabilities are known, it will be trivial to make the next generation of missiles able to fool them. Basically, in this game all the cards are stacked in favor of the offense." In other words, we're very lucky that the Patriots are so well suited to the current situation, but we'd be foolish to extrapolate wildly to future situations, and particularly to SDI. ------------------------------ Date: Mon, 28 Jan 91 20:24:19 EST From: karn@thumper.bellcore.com (Phil R. Karn) Subject: Re: Patriot (RISKS-10.81) Ever since the first successful Patriot intercept over Saudi Arabia, I began waiting for the SDI crowd to being crowing. I didn't have to wait long - Louis Rukeyser on PBS's Wall Street Week last Friday was one notable example of engaging mouth with brain in neutral. But no reputable critic of SDI ever said that a system like the Patriot could NEVER hit missiles fired singly or in small volleys that target relatively small areas, carry conventional high explosive warheads, and lack some fairly obvious countermeasures. Yet despite the relatively easy targets presented by the Iraqi SCUDs there have already been quite a few failures of the Patriot to destroy them, and several cases where the Patriots have themselves apparently caused damage to the cities they are supposedly protecting. I wouldn't exactly use the phrase "genuinely seem to be working well" when night after night I see TV footage of missiles (incoming SCUDs and/or errant Patriots) producing unmistakable explosions when they hit the ground in Saudi Arabia and Israel. If the SCUDs launched at Israel over the past two weeks had been carrying nuclear weapons (which is, after all, the original SDI scenario), northern Israel would now be a smoking ruin -- Patriots or no Patriots. Even the Pentagon admits Patriots are of little use against SCUDs armed with chemical warheads since they would merely disperse the chemical over the target. [...] Phil ------------------------------ Date: Tue, 29 Jan 91 18:16:26 +0100 From: hansm@cs.kun.nl (Hans Mulder) Subject: Re: Patriot missiles In Risks 10.81 Phil Agre writes: > The Patriot missiles genuinely seem to be working well, at least in the > desert environment. Actually, a bug was discovered last week. Apparently, Patriot launchers can operate in two modes: fully automatic and human-in-the-loop. They have been exercised in human-in-the-loop mode for several years now, and work rather accurately that way. But the Patriot launchers defending cities in Isreal and Saudi Arabia are currently running in fully automatic mode, primarily on the ground that they can react a few seconds faster that way. In contrast, the Patriot launchers defending Incirlik Air Base near Ardana, Turkey, reverted to running in human-in-the-loop mode after it was discovered that a bug in fully automatic mode causes the machine to occasionally launch two missiles for no reason (they are always launched in pairs -- presumably because they are so reliable :-} ). A Ministry of Defense spokesperson explained: ``We can't afford to waste these missiles: they cost $600,000 a piece.'' I haven't seen such a thorough risk assessment for years... Hans Mulder hansm@cs.kun.nl ------------------------------ Date: Mon, 28 Jan 1991 21:13-EST From: Karl.Kluge@G.GP.CS.CMU.EDU Subject: Re: Risks 10.81 (Patriot missiles and electronic "cash") 1) No one, but no one, that I am aware of ever seriously suggested that it was impossible to construct software to do terminal interception of ballistic objects. That is a gross distortion of the arguments over SDI software. The idea that the success of the Patriot has any impact (sic) on the issues involved is false. 2) I have seen the electronic "cash" proposal before, and yes these people are serious. My basic philosophy is that the government should have to justify to me why I ought allow them to keep data on me. The idea behind this proposal is that I somehow have to justify to the government why they shouldn't have data on me -- the old "if you have nothing to hide, it shouldn't bother you" argument. Given what we know the government is capable of (remember J. Edgar Hoover, or Nixon's "dirty tricks" squad?) to try to reassure people by saying "Governmental agencies...would be subject to the same Constitutional constrints that currently exist...for the granting of wiretaps" is a joke. Almost makes me want to buy a gun and join the NRA. Karl Kluge (kck@g.cs.cmu.edu) ------------------------------ Date: Mon, 28 Jan 91 15:39:10 -0500 From: dalamb@umiacs.UMD.EDU (David Lamb) Subject: Re: Electronic cash completely replacing cash (RISKS-10.81) Hmm. I know this isn't misc.legal or talk.politics, but... In addition to the obvious RISKS reasons to resist this one, I imagine any serious proposal would get tremendous opposition from fundamentalist Christians, demanding (at least) an exemption for religious reasons. There's a prophecy in Revelations about "the mark of the Beast" without which one could neither buy or sell. There was tremendous furor about Social Security numbers when they were first introduced, from the same group, for the same reason. This proposal is a lot more like the Mark than SSN's were. And of course, one exemption would breed others. David Alex Lamb ------------------------------ Date: 28 Jan 91 22:37:57 GMT From: lan@bucsf.bu.edu (Larry Nathanson) Subject: Re: Electronic cash completely replacing cash (`witt', RISKS-10.81) > If all the people who do business in cash were forced to >report their incomes accurately - if the under-ground economy were >forced to the surface - the Government could collect an additional >$100 billion a year for the nationl treasury - without raising taxes. How is the author so sure of his figures, if this is money that has not been reported? > How do we create a system to keep cash businesses honest ?? >Eliminate cash. That may sound revolutionary, but the exchange of >cash for electronic currency is already used in nearly all legitimate >international business transactions. Define "honest". If every store complied with every last OSHA regulation, most small businesses couldn't afford to stay in business. Sometimes small businesses skirt the rules slightly so as to be able to stay in business. There won't be much of an increase in tax revenue, if the letter of the law is enforced so strongly that no business can survive. > Think about it. Drug deals, muggings, corruption, businesses >concealing their income - they all require cash and secrecy. A >monetary system bases solely on electronic currency would leave a >trail that would cripple such enterprises. Just because the listed illegal acts all require secrecy, does not mean that all secret acts are illegal. If I share an account with my wife, and we both have instant access to every last dime, I can't throw her a surprise party or really be at the bar drinking, when I told her I was at the office. What about minors? Do they have their own card? Do their parents get to see their accounts? Or are they just not allowed to have money? > Then, all the new currency would be returned by its owners to >the bank of their choice. All banks would be required to open >accounts, free of charge, to all depositers. (Banks would surely be >delighted to provide this service at it would result in increased >deposits.) Tell that to my bank. I get hit for around $8 a month just to have an account. It costs money to maintain the information. If everything was completely dependent on this system, as the article states, then it would cost more to maintain the information. No bank in their right mind would let me keep a $20 account without a monthly. > In place of paper money, we would receive new cards - let's >call them Americards - each bio-mechanically impregnated with the >owner's hand and retina prints to insure virtually foolproof >identification. What about those who don't have hands? Or retinas? Or neither? If I buy a pair of socks, I have to be fingerprinted, and put my eye to a machine? (BTW- great way to spread conjunctivitis) > The Government would supply all homes and businesses, free of >charge, with machines, to read the card, certify the holder's >identity, and make instantaneous electronic debits and credits. >Regardless of what such machines would cost, the Government, with $100 >billion in new revenues and no more printing and mining costs, would >come out ahead. Hmmm.. a combination MS card reader, full hand finger print analyzer, retina scanner, computer, and modem, supplied to every individual that wants one. This is supposed to save money over green ink on white paper? > And think of the benefits to the average American. No one >would have to write a check again. Bills could be paid electronically >from home. Such a system is already available through banks and >businesses on a limited, optional basis. And that's the way it should be. On an optional basis. What if I WANT to write a check? What if I'm going to mail a check to someone, so that by the time it gets there, it will be payday, and I'll have money in my account? Instantaneously paying bills from home is great, IF you want to pay them that way. > For example, on payday, instead of receiving a paycheck, your >salary would be electronically transferred into your account. At >lunch- time, you would go to your favorite resteraunt - or the local >hot dog stand -and instead of paying cash, you'd use your Americard. >You'd get a receipt instantly and could get a cumulative record from >you bank (or your personal computer) as often as you like. And the hot dog vendor can see how much money I've got in my account? Every last hot pretzel vendor on the streets of NYC is going to have a MS card reader/retina scanner/fingerprint analyzer? (Not to mention a generator to keep it running) Some of these guys can't afford the wood to burn under the pretzels! > The benefits would be tremendous. Individuals and businesses >would no longer be able to conceal income. All transactions would be >recorded in a computerized bank file and would be easy for the I.R.S. >to check. Muggers and buglars would be out of business: no one would >be carrying cash and stolen property would be difficult to sell >because there would be records of all transactions. Money purely man's invention. If people can't get access to 'real' money, then they will find something else of value, and trade it instead. Gold, Silver, Platinum, and everything else of value would have to be banned. Not to mention barter. This wouldn't even put a dent in illegal activities. But on the other hand, Joe's wife could notice that he bought a 24 pack of condoms, the day after she left on a business trip. > Fugitives would be easier to track down, legal judgements >easier to enforce, illegal aliens simpler to spot, debtors unable to >avoid their responsibilities by skipping town. The census wouln't >overlook households. I'd say the odds on it magically reducing tooth decay are better than the odds on it fixing any one of the above problems. > And there would be no information on the Americard computer >that doesn't already exist in other forms today. If anything, our >rights to privacy would be more secured with the protections that the >Americard would offer. I fail to see the logic underlying that statement. > And besides, I'd like to ask every parent whose child walks to >school through a gauntlet of drug dealers, everyone whose home has >been robbed, whether they think that their rights have been >jeopardized by a system that could solve all these problems ?? In other words, in order to prevent crime, we should radically change the economic structure of our country. Instead of Americards, how about just switching to communism! In the Soviet Union only drug problem is alcohol, and the muggers are shot in the streets. It would be a LOT cheaper just to elect the communist party than to muck around with all this technology stuff. Maybe there are some things that Americans hold more dear (like freedom and privacy) than things even like safety. > Since computer systems occasionally fail, Americard would be >contained on several connected secure computers: at the local bank >branch, the main bank, the regional office of the Federal Reserve and >the Federal Reserve in Washington, D.C. And making the system more complex would tend to reduce problems and increase security? > Americard may seem like a drastic approach but its advent is >inevitable. In the days of the telegraph and the pony express, who >could have imagined that one day there would be a phone on every >street corner in Manhattan ?? Poor analogy. There are many inventions and ideas that never made it off the drawing board. This will be another. Larry Nathanson . 726 Comm Av #5J . Boston, MA 02215 . 617 266 7419 ------------------------------ Date: Mon, 28 Jan 91 15:49:21 PST From: merlyn@iwarp.intel.com (Randal L. Schwartz) Subject: Re: Electronic cash completely replacing cash (`witt', RISKS-10.81) [...] I'd hate to see this system in place. I'm not a luddite, but replacing moveable tokens for ones and zeroes that are necessarily manufactured and replicated at will is opening up a whole bunch of issues all at once. We don't have the authorization/authentication technology far enough along and cheap enough to do this on a national scale yet. And, are you really going to give every man, woman, and child a smartcard? "Here's your allowance junior. Oops! The cardreader is broke. Well, I guess you're not getting one today." And what about the gazillions of vending machines out there? Are you going to make those invalid overnight? A suggestion I had seen was that there'd be small "currency" valid for amounts under, say, $100. Banks (or corner vending machines) would provide for transfers between your smartcard and some "currency". I think we're getting closer to this compromise forced not by government mandate, but by economics. Bills over $100 haven't been printed for quite some time, because most legitimate uses of those bills have been replaced with EFT. I'm using cash less and less each day. I pay nearly all of my daily expenses with my Visa card. In fact, the local Burger King and Seven-Eleven stores take Visa now! I write checks to pay my bills through the mail, although many pay-by-phone services exist so that I wouldn't even have to do that. And not one part of this is by government mandate. Economics have pushed the gradual phase-in of the cashless society. And it's happening quite gradually and rather nicely, thank you. Just another cash-kinda-guy, Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 merlyn@iwarp.intel.com ...!any-MX-mailer-like-uunet!iwarp.intel.com!merlyn ------------------------------ Date: 28 Jan 91 21:16:18 GMT From: sandberg@ipla01.hac.com (K. M. Sandberg) Subject: Electronic cash completely replacing cash (RISKS-10.81) The worst part about this is that I am sure that the author believes what is said, yet fails to understand the risks involved. True, it would get more tax dollars, but at an unknown cost for all the machines and networks to make it work. What do you do if you lose your card since nobody will trust you without it? With cash at least you can put some aside in case of emergency, but with only a card that may decide to not work it is all or nothing. It also assumes the the barter system does not exist, after all who would exchange items for work. Unless you then take inventory of all the items that a person bought, just to make sure. Of course the line of "if you are honest, why should it bother you" is bound to come up. This means that "honest" people would not mind having cameras watching them all the time since it would cut down on crime, then you could tatto everyone so that there is no doubt about identification. And so it goes, welcome to 1984 by Orwell. Was this in the editorial or opinion section at least? Also what does it take to get people to think about what they are saying, or to just plain think? Kemasa ------------------------------ Date: Tue, 29 Jan 1991 00:46:28 GMT From: peter@taronga.hackercorp.com (Peter da Silva) Subject: Americard... > Think about it. Drug deals, muggings, corruption, businesses > concealing their income - they all require cash and secrecy. A monetary > system bases solely on electronic currency would leave a trail that would > cripple such enterprises. And, of course, let others flower. How well would a cashless economy have prevented the S&L scandal? And, of course, the government would have to call in all the precious metals again. This would just make it easier for the rich... with easily liquifiable assets in the form of stocks, bonds, real estate, and so on... at the expense of the poor and middle class. And that's without considering the possibility of fraud in the system itself! ------------------------------ Date: Tue, 29 Jan 1991 00:11:30 CST From: keeney@vixvax.mgi.com (Richard Keeney) Subject: Re: Abolish Cash When I read the artical "Abolish Cash" by Harvey F. Wachsman, "The Government" appears to be the only safegard in his proposed system. Many people would agree with me when I bring up the point that we still have not devised a good method of completely safeguarding ourselves from the various forms of government that are necessary to run our society. A system where the appropriate legislative body has such absolute control over trade and enterprise would seriously undermine the population's ability to remove such a body from power when they no longer agree with that body's policies or activities. I would assert that "cash" provides a significant safeguard of our right to freely assert our political views, especially in the face of disagreement from those currently in power. I will go even further and point out that such a legislative body would find it almost impossible to resist making full use of the level of control offered by such a system, and would certainly find many innovative ways to make us regret giving them so much control. There are many historical examples of how even the best intentioned use of legislative power can go bad. Not only do we have no reason to trust "The Government" with such a system, but we have many reasons to mistrust them. Another weakness of such a system that I would like to point out relates to the inability of such a system to deal with all the seemingly small but necessary transactions required to "grease" the machine to make things move smoothely. I can imagine that people would become obsessed with every little penny. When you have to take the trouble to make an official "transaction", people will become less generous with things like gratuities, informal loans, small gifts, etc. Such a system would be very cruel (perhaps even to the point of violating our constitutional right to be free from cruel and unusual punishment) to somebody who is denied access to their money due to a lost or damaged card, an error, or red tape. One day everything would seem fine, and the next, wham! "I am sorry sir, but we cannot accept your Americard due to a hold placed by agency Red_Tape_Is_Us relating to a delinquent payment of $0.39. By the way sir, you can clear that up with them on Mondays between 2:00 and 3:00 PM (excepting national holidays of course) if you fill out form 55-A-1-55-92194 in triplicate and have a note from your mom." I would also like to point out one area that would be very similar to credit cards that would require additional thinking. What happens when there is a dispute over a charge between a merchant and a customer? Who would have the onus of proof? What about when a merchant has to have a person's account number to post a running series of transactions as in the case of a hotel, for example? It would be tough to imagine Uncle Sam eating those disputed amounts like credit card companies often do to keep the good will of both the card holder and the merchant. Truth in advertising would also continue to be a problem. How do you know what charge will appear on your card when you put it into a vending machine or give the number to some mail order merchant? Finally, I think "Americard" may already be registered as a trademark by somebody (Ameribank sticks in my head). Richard A. Keeney, Senior Software Engineer, Management Graphics, Inc., 1401 East 79th Street #6, Bloomington, MN, 55425 Phone: +1-612-851-6126 ------------------------------ End of RISKS-FORUM Digest 10.82 ************************