Subject: RISKS DIGEST 11.60 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 2 May 1991 Volume 11 : Issue 60 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Battle of the computers (Jerry Leichter) The risks of risks and leverage (Bob Frankston) Free Speech and Government Control of Information (Jerry Leichter) Re: Four-digit address causes NYC death (Flint Pellett, Ed Ravin, Bob Frankston) Re: Hacking, Civil, and Criminal Law (Jim Giles) Research Project [call for guinea pigs] (P.A.Taylor) Larry Hirschhorn, Beyond Mechanization, MIT Press, 1984 Phil Agre) 2nd PDCS Open Workshop, Newcastle/Tyne - 28-30 May 1991 (Nick Cook) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you cannot access "CSL.SRI.COM", try Internet address "128.18.10.1". ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 2 May 91 11:39:43 EDT From: Jerry Leichter Subject: Battle of the computers As some players in the economy use massive computation to improve their position, will those without access to such resources be left behind? This issue has arisen in the past in discussions of program trading in the stock market. About two weeks ago, in an article in the New York Times that I forgot to clip, an interesting new example came to light. It seems that airlines are making heavy use of "load management" software. An airline wants to fill as many seats on each flight as possible with passengers paying full fare. However, if there are any seats left over, it is better to fill them with people flying at a discount than to leave them empty, as the incremental cost of flying the extra passengers is essentially nil. In the past, airlines have had to guess how many seats on each flight to make available at a discount. These days, they have enormous amounts of data on the past history of all their flights. Further, they have the computational capacity to do an essentially continuous recomputation of the optimal number of seats to offer at a discount. The result is that, on the "desireable" flights - late Friday afternoon, for example - it's extremely difficult to get a discount seat. On Saturday, on the other hand, discount seats are usually no problem. The techniques involved have proved very effective - studies show that for many airlines such load management makes the difference between profit and loss. Many state regulators see this as a "bait and switch" by the airlines - they advertise seats that are simply not available to most of their customers. One side-effect of airline deregulation, however, was to make the airlines just about totally immune to state regulations, and the Federal government has so far shown little interest in getting involved in this matter. This leaves consumers on their own. Sure enough, a countervailing force has appeared: Travel agencies have begun to develop programs that continu- ally watch for discount seats to appear and grab them for their customers. The computers battle it out - and anyone without computer assistance is likely to be left on the ground. An old cartoon shows two people standing on the ground, luggage at their feet, looking up at a plane. The words: "If God had meant us to fly, He would have given us tickets." Perhaps today we should substitute "a PC" for "tickets". -- Jerry ------------------------------ Date: Wed, 1 May 91 23:44 GMT From: Bob Frankston Subject: The risks of risks and leverage The article in today's Wall Street Journal on Prodigy's STAGE.DAT and CACHE.DAT files makes it very obvious how central Risks (and similar discussion groups and journals) have become in this society. Risks itself is very widely read, published and cited. Other lists (e.g. Telecom digest) are read at the agencies such as the FCC. We are what we what are talking about. Not only in the MacLuhan sense of the media being the message but also in a more literal sense. At one level we look at examples of bad (and sometimes good) engineering and wonder about the design decisions. Yet here we have an example of phenomena rather than engineering. (Are 900 numbers a phenomena or did the implementors foresee the implications?) I don't know if the WSJ article was a direct result of Risks (or similar media) but all this happened within a few days. A number of the most visible reporters do read this digest and participate in the electronic media (emedia). Among emedia, Risks is one of the more responsible. (What is the National Enquirer of enews?) (Let's see how long it takes the terms "emedia" and "enews" to become popular -- start tracking). (Rereading this letter, I'm reminded of the old ads for the Hitchcock saying "The Birds is coming") [Larry and his brother (Moe?) ...] ------------------------------ Date: Thu, 2 May 91 11:22:27 EDT From: Jerry Leichter Subject: Free Speech and Government Control of Information In RISKS-11.54, Larry Hunter responds to my article on control of information. His article provides examples of exactly the kinds of limited approaches that I was trying to get beyond. There are two basic areas in which we differ. First, Hunter believes I'm attempting to prescribe appropriate actions. If I gave this impression, let me correct it: I'm trying to PREDICT. My claim is not that stricter controls are a good idea. Rather, I suggest that they are an inevitable result of the direction in which our technologies are headed. (There's certainly room for a good deal of debate about "technological determinism" here. It's not that I don't believe that alternative paths are POSSIBLE; I'm just projecting what I think is by far the most likely path.) The second issue grows from the first, and Hunter's view of how the fundamental laws of our society are determined. To state it starkly: If "society" comes to believe that government controls on information are necessary, will constitutional limitations still prevent them from coming into being? Hunter believes so; I think he's being naive. The Constitution protects "speech", "religion", "the press". It never defines any of these terms; case law does. We think we know what they mean, and that the "clear meaning" will not change, but history makes it clear that these terms are quite malleable. The authors of the Constitution were mainly thinking of political speech when they wrote (though claiming that it's only political speech they intended to protect is a much different, and probably indefensible, claim). They probably thought they were protecting the right to choose one's religion, most likely so long as it was some variation of Christianity (or maybe Judaism); they were probably not thinking of a right to choose no religion at all. Curiously, their view of "the press" was probably broader than that of most people today, as "pamphleteers" were important contributers to public debate. Over the years, we've come to construe these terms in very different ways. I very much doubt any of the constitutional authors would have found even comprehensible the argument that a striptease was deserving of First Amendment protection as "symbolic speech". We've chosen to define that "in", just as we've chosen to protect atheism under "freedom of religion". On the other hand, we have also chosen to leave certain things OUT of our definitions. Television news isn't quite "the press", and is subject to FCC regulation. Freedom of religion doesn't protect Christian Scientists from child abuse claims when they refuse medical treatment for their children. Note that we don't need a constitutional amendment to effectively change the definitions of crucial terms in the Constitution - all we need is a majority of the Supreme Court. Hunter's examples - conspiracies, slander, copyright violations, and reckless endangerment, commercial speech - all illustrate "speech" that we have chosen, as a society acting through our legal system, to leave out of the definition of that single, simple word in the Constitution. This is a subtle process, and much of it is surprisingly recent: The reckless endangerment exception - the famous "shouting fire in a crowded theatre" - comes, if I recall, from an opinion by Justice Holmes, which puts it early in this century. I don't know how far back the "commercial speech" exception goes, but note that there have been a number of important decisions defining the bounds of that exception in the last 15 years. (The whole reason the commercial speech exception exists is to curb the unfairly loud voice that rich corporations have, given today's media. Before mass marketing, there was little reason to create such an exception, and in fact the traditional concept of "seller's talk" - which basically said "you can't rely on what a salesman tells you (since we all know they exagerate)" - created an area in which "commercial" speech was particularly free.) Historically, the courts have even been quite prepared to make distinctions based on communications media: Peeking through the keyhole requires a warrant but tapping a phone line - well, we needed to pass a special law for that one. Why else is Lawrence Tribe now suggesting a constitutional amendment on just this matter? So: I see little reason to suppose that the courts will blindly accept that all computerized information is "speech", if society decides that some limitations on it are necessary. In the past, we've generally been able to draw the line between things or acts and information - "mere speech": The First Amendment protects your right to publish instructions for building bombs, so we draw the line at the materials you need. In the information age, this line becomes fuzzy. For export, a description of DES is OK, a chip implementing it is not. How about a good software implementation? Should a computer virus - simultaneously speech (pure information) and a potentially dangerous "thing" - be freely publishable? Let me give a non-computer example of the kind of problem we will face: Mr. M is a numerologist and conspiracy theorist. He believes that he can track down conspiracies in the world by examining various numerical data related to people. He starts a magazine, OutNumber, in which he regularly publishes any numbers he can find concerning (mainly) the rich and powerful. Mr. M has a following, and he has money to pay for tips, so he has no problem finding all sorts of interesting numbers concerning people. Soon he is publishing people's charge account numbers, checking account numbers, PIN's, private telephone numbers, cellular phone numbers, and so on. At no time is there any question of Mr. M's involvement in any attempt to use this data for fraudulent purposes - he is sincerely interested only in his numerological research. OutNumber, and Mr. M, are probably protected under the Constitution as we currently construe it. My question is, should they be? Do you think there's really a social concensus that it's essential to protect the ravings of a Mr. M, even in the face of (let us imagine) clear evidence of massive fraud by OutNumber readers against those "profiled" in the magazine? How long do you think the courts will stand up in the face of a new concensus that says, hey, get rid of this guy? Finally, Hunter responds to my suggestion of some fiction stories with readings on political theory. I have no problem with this. The reason I suggest fiction is that social concensus, and ultimately law, grow as much out of the gut as out of the head. Good fiction lets you explore your own gut feelings. Along those lines, let me suggest Jack McDevitt's "The Hercules Text", which raises the question of whether some information might be so dangerous that one might feel morally compelled to supress it. Also, Fred Hoyle's classic "A For Andromeda" demonstrates how one can wage interstellar war by sending "mere information". (The equally good sequel, "Andromeda Breakthrough", turns the discussion in a different direction, but the point remains.) Since my first posting, I've found my copy of Asimov's "Earth Is Room Enough". It was first published in 1957, and story I cited is, indeed, called "The Dead Past". Since a summary would destroy the "gut" impact that makes me recommend the story to begin with, I still leave to readers the pleasure of the original. (I'll relent if sufficiently pressed.) -- Jerry ------------------------------ Date: 1 May 91 16:50:25 GMT From: flint@gistdev.gist.com (Flint Pellett) Subject: Re: Four-digit address causes NYC death (Nilges, RISKS-11.55) One poster suggested a more limited set of operations, as in spreadsheets, rather than what you have in "powerful" languages: I don't follow this at all, since 1) I you can set your column width to 4 characters in the spreadsheet and get the same sort of problem, 2) the collection of books I have on Quattro use are about 3 times as thick as any other book I have on any of several programming languages: if anything, a lot of spreadsheets are a lot more likely to cause problems due to being complex than the programming languages are. Dynamic field lengths supported by languages aren't going to prevent this type of problem, because your screen displays are still a finite size, and operating system utilities that have various fixed limits still abound. (Ever try to work with files that have 2000 characters in the file name in UNIX, and figure out what things handle them and what ones don't?) Availability of more powerful ways to control screen real estate (like the ability to put up a scroll-bar that would let you scroll thru the file name looking at 80 characters of the 2000 at a time) are a first step, but even if every variable had infinite length and the only way you could display it was using a scrollable method, you'd still have problems: now you have something so complex a human can't digest it or remember it or deal with it. 5 Digit addresses may be the same thing: maybe the problem there is that someone should have created addresses with no more than 4 digits in the first place. It reminds me of people who put 2000 different files into one directory, rather than organizing that directory into several lower level directories: why didn't someone organize the hierarchy of addresses so that they had groupings (towns, precincts, whatever) in which the addresses were kept smaller? By the time you let things grow to where you have 1000001 Fifth Ave and 100001 Fifth Ave (did you notice those aren't the same address!?) it isn't the computers causing the problem. Flint Pellett, Global Information Systems Technology, Inc. 1800 Woodfield Drive, Savoy, IL 61874 217-352-1165 uunet!gistdev!flint flint@gistdev.gist.com ------------------------------ Date: Wed, 1 May 91 12:31:18 EDT From: eravin@panix.UUCP (Ed Ravin) Subject: Four Digit Addresses in NYC I can't believe this one -- large sections of Queens have addresses along the lines of XXX-YY, where XXX is the number of the cross street, and YY is the address unique only within that block. For example, if you lived on 89th Avenue in the Jamaica section of Queens and the nearest numbered street was 169th Street, your address might be 169-25 89th Avenue. The house on the next block, near 170th Street, could have an address 170-25. And so on. Although it's easy to see how an incompetent or poorly trained emergency operator could mix up one of these addresses that sound more like IBM error messages than places to live, I don't think it's possible that the computer system the operators and dispatchers use could have a fixed limitation to four digits on an address -- as you can see, the address above (and there are plenty like it in Jamaica and nearby) is six characters if you include the hyphen. Remember, the original posting came from a press report, where the reporter may well have just repeated without critical examination of what someone said, or mixed up what someone said. This kind of inaccuracy in reporting extends to all fields, not just technical. Ed Ravin cmcl2!panix!eravin philabs!trintex!elr +1 914 993 4737 ------------------------------ Date: Wed, 1 May 91 16:02 GMT From: Bob Frankston Subject: Re: Four-digit address causes NYC death Representation is a nontrivial issue. While it may be "obvious" that one should allow for five digit addresses, what about fractional addresses due to subdivided lots (how do you say "384 3/8e 1St SW" in ASCII, how does it sort?? Apartment addresses? Alternative addresses (6th Ave vs Avenue of the Americas)? Why not require full color graphics and then discover you can't present it on a belt-mounted radio? Then there are the problems of real design against performance and cost constraints? And design cycles that involve committees and 20 years of studiously ignoring technology change I'm more concerned with superhuman requirements and a "hang 'em by their thumbs" attitude discouraging attempts at system design. Safer to kill by omission than commission. While it is necessary to encourage and even enforce responsible system design, it is not magic. While much is made of better techniques for creating bug free systems through better technical tools, you can't anticipate all the quirks of mapping the design to the real world. I'm much more interested in the whole design cycle including reintegrating experience from the field. How does a fix like supporting 5 digit addresses get integrated back into the E911 system? How long does it take? At some point in a system's life cycle fixing bugs tends to increase the total number of bugs. What methodologies mitigate this problem and, in effect, continually refresh a system? Part of the problem is that engineering and learning does involve taking risks (as Petrovsky as noted in some of his books). Systems where risk is not allowed do not grow and refresh. At least not internally. (I better stop here, otherwise I'll get into a discussion of the dangers of military/government procurement vs comme rcial/academic experimentation). ------------------------------ Date: Wed, 1 May 91 09:44:40 MDT From: jlg@woodsy.lanl.gov (Jim Giles) Subject: Re: Hacking, Civil, and Criminal Law "Herman J. Woltring" writes: > [...] > If you open your vaults, dismiss the guards, turn off the alarm, and if your > name is Dagobert Duck, you are equally liable for solliciting criminal > behaviour as is #789-123 for committing a felony while he purloins your > bullion. [...] Not by the laws of any modern nation. What Mr. Woltring is saying is the same as: "If a woman puts on a dress and walks into a bar, she's as guilty of gang-rape as the men in the bar." To be sure, the bank manager who dismisses the guards and the woman who enters the sleazy bar are negligent, perhaps criminally so, but that doesn't mitigate the guilt of the robbers or the rapists. > [...] In my book, simplistic passwords, retaining known system passwords > or not plugging known, remote-access loopholes are tantamount to the same. To take Mr. Woltring's analogy between physical property and computer networks into account, what are the analogous structures? Simplistic passwords are analogous to easily picked locks, known system passwords: emergency access doors, remote-access loopholes: loose boards in the wall. Now, if I leave the door open, and you come in - you are _still_ guilty of trespass. If I lock the door and you come in, you are quilty of breaking and entering. This is a much more serious crime than trespass since the fact that you entered in spite of the lock shows intent. It doesn't matter how easily the lock was to pick, the emergency exit to break, or the loose board was to find, the fact of breaking through any of those shows that you _intend_ to trespass. The only difference between this and the computer network issue is that some countries have not yet extended the laws of property to computational facilities. In my book, breaking into a system that is guarded by passwords should be criminal. I shouldn't matter how easy the passwords were to guess or to crack. That is an issue of negligence on the the part of the authorized users - it does not mitigate the guilt of the hacker that breaks in. J. Giles ------------------------------ Date: 01 May 91 14:16:14 bst From: P.A.Taylor@edinburgh.ac.uk Subject: Research Project I'm in the second year of a PhD which is looking at the rise of the computer security industry and the various groups which make up the "computer underground" or whatever term should be used. There are two questionnaires I've been using in the research. The first is a very short yes/no type one, designed to produce a data-base of raw statistical information. The second gives a lot more room for opinions and if the respondents are amenable could form the basis of e-mail discussions/ interviews. If you would like to help in the research then please drop me a line. ALL RESPONSES WILL BE TREATED IN TOTAL CONFIDENCE, THE WORK IS FOR SOLELY ACADEMIC PURPOSES. A FULL ANALYSIS OF RESULTS WILL BE MADE AVAILABLE TO ANYONE WHO IS INTERESTED. Verification of my academic status can be sought from my main supervisor Dr. R. Williams, Director of the Research Centre for Social Sciences, here at Edinburgh University, at the same e-mail site as myself. Paul A. Taylor, Depts of Economics and Politics, Edinburgh University. ------------------------------ Date: Tue, 30 Apr 91 14:56:36 +0100 From: Phil Agre Subject: Larry Hirschhorn, Beyond Mechanization, MIT Press, 1984. Larry Hirschhorn, {\em Beyond Mechanization: Work and Technology in a Postindustrial Age}, Cambridge: MIT Press, 1984. This is an extremely relevant book that I don't recall seeing mentioned on RISKS before. It's by a management professor, about the new styles of work that are required by new market structures and by the risks inherent in feedback-based technologies. Here are some quotes about RISKS: We see that watchfulness and attention must be mobilized, because cybernetic-automatic systems introduce new and unexpected ways of failing. Work takes on a new meaning in this context. ... in cybernetic systems machines and workers complement each other with respect to a typology of errors: machines control expected or `first-order' errors, while workers control unanticipated or `second-order' errors (page 72). If, as I believe to be the case, error is inevitable in automatic systems---if there are always to be modes of failure that cannot be automatically regulated by feedback-based controls---then learning must be instituted in order to prepare workers for intervening in moments of unexpected systematic failure. Failure, in turn, is a specific example of discontinuity and developmental change. Thus we could define postindustrial work as management at the boundaries of systems and physical realities. Historically, we would then see the worker moving from being the controlled element in the production process to operating the controls to controlling the controls (page 73). We can find an analogy in daily life. A young child, learning to walk, constantly trips over her own feet. Once she has mastered walking, she may still hurt herself; indeed, because she has mastered walking, she enters new environments that strain her skill in new ways. Each increase in self-regulating capacity is matched by a new context that stretches the newly developed capacity to new limits. Thus the system, always functioning at its limits, is always vulnerable to failure (pages 82-83). The new technologies do not constrain social life and reduce everything to a formula. On the contrary, they demand that we develop a culture of learning, an appreciation of emergent phenomena, an understanding of tacit knowledge, a feeling for interpersonal processes, and an appreciation of our organizational design choices. It is paradoxical but true that even as we are developing the most advanced, mathematical, and abstract technologies, we must depend increasingly on informal modes of learning, design, and communication (page 169). ------------------------------ Date: Mon, 29 Apr 91 12:34:24 BST From: Nick.Cook@newcastle.ac.uk (Nick Cook) Subject: 2nd PDCS Open Workshop, Newcastle/Tyne - 28-30 May 1991. ESPRIT BASIC RESEARCH ACTION 3092 PREDICTABLY DEPENDABLE COMPUTING SYSTEMS (PDCS) ANNOUNCEMENT - 2ND PDCS OPEN WORKSHOP (WORKSHOP PROGRAMME INCLUDED) 28-30 MAY 1991 THE COPTHORNE HOTEL, THE QUAYSIDE, NEWCASTLE UPON TYNE, UK The Workshop Programme, details of venue etc., Registration Form and PDCS Project Synopsis follow. There are still places at the Workshop and there is still time to register for a place. So if you wish to be considered for a place, or have any queries, simply contact me for registration form, information, etc. (by s-mail, email, phone or fax - details below). Nick Cook, Administrative Coordinator, PDCS The Computing Laboratory, The University, Newcastle upon Tyne NE1 7RU, UK Tel: +44-91-222-7827 Fax: +44-91-222-8232 Email: Nick.Cook@newcastle.ac.uk --------------WORKSHOP PROGRAMME--------------------------------- 2ND PDCS OPEN WORKSHOP, 28-30 MAY, 1991 THE COPTHORNE HOTEL, QUAYSIDE NEWCASTLE UPON TYNE The Workshop will be based on presentations from PDCS grouped under eight subject headings pl.us about ten demonstrations. The final session of the Workshop, Assessment of Very High Dependability Software, will include prepared responses from two guest speakers. The presentation sessions will be introduced by a moderator, who will also conduct the discussions that follow. They will be held in series and consist of a number of talks from PDCS covering: Dependability Requirements, Fault Tolerance, Real-Time Issues, Proving and Testing, Software Engineering Environments, Security, Evaluation and Ultra-high Dependability. Demonstrations currently planned are: Paralex (Universita' Bologna), Recalibrating Software Reliability Models (City University), Authentication - secure LAN (EISS/Universitaet Karlsruhe), Statistical Testing and SOREL (LAAS-CNRS), Tool for Relating Dependability Requirements to Organisational Structure and a demonstration based on the Laboratory's train-set (as seen at FTCS-20) (University of Newcastle upon Tyne), Design Environment for Real-Time Systems and a video presentation of rolling ball experiment (Technische Universitaet Wien), Z-checking (University of York). In addition to the main Workshop business there will be a reception by the Lord Mayor of Newcastle at 18.00 on Tuesday and a banquet dinner at approx. 20.00 on Wednesday (leaving Newcastle at 18.45). The full, preliminary, programme is given on the following pages. Please note: some details are not available yet, such as exact session/presentation titles, and will change before the Workshop. However, all the subject areas indicated will be covered. Also, at this stage the timings are given as indicators of session/presentation length only and are liable to change. TUESDAY 28 MAY 1991 10.30-11.15 Welcome address and Overview of PDCS and the Workshop - Brian Randell, University of Newcastle upon Tyne 11.15-12.00 DEPENDABILITY REQUIREMENTS Moderator: Brian Randell, University of Newcastle upon Tyne Presentations and speakers: 11.15-11.45 Frameworks for expressing non-functional requirements - John McDermid, University of York 11.45-12.00 Discussion conducted by the moderator 13.30-15.30 METHODS AND PARADIGMS FOR FAULT-TOLERANT SYSTEM DESIGN Moderator: Jean Arlat, LAAS-CNRS Presentations and speakers: 13.30-14.00 Fault Assumptions and Assumption Coverage - David Powell, LAAS-CNRS 14.00-14.30 Structuring Fault Tolerance in Software Design - Lorenzo Strigini, IEI del CNR 14.30-15.00 Frameworks for Fault Tolerance - Tom Anderson, University of Newcastle upon Tyne 15.00-15.30 Discussion conducted by the moderator 15.45-17.25 REAL-TIME ISSUES Moderator: Luca Simoncini, Universita' di Pisa Presentations and speakers: 15.45-16.25 Time Triggered Architectures - Hermann Kopetz and Peter Puschner, Technische Universitaet Wien 16.25-16.55 Predictability and Flexibility in Hard Real-Time Systems - Alan Burns, University of York 16.55-17.25 Discussion conducted by the moderator 18.00 Reception by the Lord Mayor of Newcastle upon Tyne at the Civic Centre WEDNESDAY 29 MAY 1991 08.45-10.15 PROVING AND TESTING Moderator: Norman Fenton, City University Speakers: 08.45-09.15 Marie-Claude Gaudel, LRI-Universite de Paris Sud et CNRS 09.15-09.45 Pascale Thevenod-Fosse, LAAS-CNRS 09.45-10.15 Discussion conducted by the moderator 10.30-12.00 SOFTWARE ENGINEERING ENVIRONMENTS Moderator: Santosh Shrivastava, University of Newcastle upon Tyne Presentations and speakers: 10.30-11.00 An Engineering Approach to Hard Real-Time System Design - Ralph Zainlinger, Technische Universitaet Wien 11.00-11.30 Paralex: An Environment for Parallel Programming in Distributed Systems - Ozalp Babaoglu, Universita' di Bologna 11.30-12.00 Discussion conducted by the moderator 13.00-13.30 Buses (or walk) to Computing Laboratory for Demonstrations 13.30-18.00 DEMONSTRATIONS IN COMPUTING LABORATORY Including in groups of 3 (exact arrangements to be determined): Paralex (Universita' Bologna) Recalibrating Software Reliability Models (City University) Authentication - secure LAN (EISS/Universitaet Karlsruhe) Statistical Testing and SOREL (LAAS-CNRS) Tool for Relating Dependability Requirements to Organisational Structure and a demonstration based on the Laboratory's train-set - as seen at FTCS-20 (University of Newcastle upon Tyne) Design Environment for Real-Time Systems and a video presentation of rolling ball experiment (Technische Universitaet Wien) Z-checking (University of York). 18.45 Buses leave for Banquet at Redworth Hall, County Durham THURSDAY 30 MAY 1991 08.45-10.15 SECURITY Moderator: John Dobson, University of Newcastle upon Tyne Speakers: 08.45-09.15 Yves Deswarte, LAAS-CNRS 09.15-09.45 Dieter Gollmann, EISS/Universitaet Karlsruhe 09.45-10.15 Discussion conducted by the moderator 10.30-12.00 EVALUATION Moderator: Pierre-Jacques Courtois, Philips Research Laboratory Brussels or Isi Mitrani, University of Newcastle upon Tyne Presentations and speakers: 10.30-11.00 Analysis of Software Failure Data - Sarah Brocklehurst, City University and Karama Kanoun, LAAS-CNRS 11.00-11.15 Discussion conducted by the moderator 11.15-11.45 Towards Cost Models for Security Evaluation - Bev Littlewood, City University and John McDermid, University of York 11.45-12.00 Discussion conducted by the moderator 13.30-15.40 ASSESSMENT OF VERY HIGH DEPENDABILITY SOFTWARE Moderator: Alain Costes LAAS-CNRS Speakers: 13.30-14.00 Jean-Claude Laprie, LAAS-CNRS 14.00-14.30 Bev Littlewood, City University Discussants responding to presentations: 14.30-14.50 John Meyer, University of Michigan 14.50-15.10 Martyn Thomas, PRAXIS plc 15.10-15.40 Discussion conducted by the moderator 15.40 Closing address - Brian Randell, University of Newcastle upon Tyne Mr Nick Cook, Administrative Co-ordinator, PDCS The Computing Laboratory, The University, Newcastle upon Tyne NE1 7RU, UK Tel: +44-91-222-7827 Fax: +44-91-222-8232 Email: Nick.Cook@newcastle.ac.uk ------------------------------ End of RISKS-FORUM Digest 11.60 ************************