Subject: RISKS DIGEST 12.14 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 19 August 1991 Volume 12 : Issue 14 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: TRW Wrong on Credit Reports for Entire Town (Scot Drysdale) Computer Crime Bill - S1322 (Robert E. Van Cleef) Bank Shot (RISKS of automatable documents) (Ed Ravin) Misuse of computerized auto registration info (Rodney Hoffman) Risk of licensing programmers -- lost freedom and creativity (John Gilmore) A320 revisited (Robert Dorsett) Re: Procter&Gamble (Steve Bellovin) Re: FSF machine having to clamp down on security (Paul Mauvais) Re: "locking" DoD smart weapons (Guy Sherr) Re: Rumor regarding Soviet calibers (Michael Edelman) More Credit Bureau Risks (Mike Waters) RISKS of calling 911 from cellular phones (E.M. Culver) Book: "Narcissistic process and corporate decay..." (Dan Jacobson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 13 Aug 91 11:08:43 -0400 From: scot@moosilauke.dartmouth.edu (Scot Drysdale) Subject: TRW Wrong on Credit Reports for Entire Town TRW appears to have decided that every resident of Norwich, VT is deliquent in paying property taxes. An article in The Valley News from from a couple of weeks ago follows. (I foolishly clipped the article but not the date.) Company Wrong on Credit Reports, by Roger Carrol and Rich Barlow NORWICH - The Vermont Attorney General's office is investigating how one of the largest credit-reporting companies in the world came to list every Norwich property owner as a delinquent taxpayer. Not every taxpayer is delinquent, of course, but Karen Porter - town clerk, treasurer, and collector of taxes - said all 1,500 residential taxpayers are listed that way by the California-based TRW, Inc., which distributes credit information through a nationwide network. ... Porter said she first got wind of the problem about a month ago, when someone from Macoma Savings Bank called the Norwich town office to verify that a customer applying for a loan had paid off a "Norwich County" lien on property. The taxpayer never had a lien on the property, said Porter, who became more suspicious when the phrase "Norwich County" popped up again. "I heard that term three times in two days from various banks and credit bureaus," she said. It stood out because there is no Norwich County. She traced the source of the information to TRW, and it took her a week of calling and writing before she got a company official who could answer her questions. "I had him pull up six or seven records on his computer screen," said Porter. "In each case they (Norwich taxpayers) were listed (on the TRW computer) as having liens. But in each case they had paid in a timely fashion. He's making long sighs on the other end of the phone while I'm telling him there are 1,500 he has to correct." [...] The article goes on to describe how TRW blames the error on National Data Retrieval of Norcross, GA. An NDR representative came to the town office in February and wrote down the names listed in the town's receipt book. The NDR representative blamed it on a keypunch operator in Georgia. A couple of days ago Porter published a Letter to the Editor claiming that TRW claims to have fixed all of the incorrect records, but that she has not yet gotten that in writing. Scot Drysdale scot.drysdale@dartmouth.edu ------------------------------ Date: Mon, 12 Aug 91 14:35:51 -0700 From: vancleef@nas.nasa.gov (Robert E. Van Cleef) Subject: Computer Crime Bill - S1322 Senator Leahy's Computer Crime Bill Would Close Loopholes in CFAA (From Government Computer News, August 5, 1991, Page 98) "Sen. Patrick J. Leahy has reintroduced a computer crime bill that would close loopholes in the existing Computer Fraud and Abuse Act (CFAA) by making it a felony to introduce viruses or other damaging programs intentionally into computers. " [...] One recent study estimated that computer crime now causes between $3 billion and $5 billion in damages a year, [Sen. Hank] Brown said. " [...] Recognizing that some incidents are neither malicious nor intentional, Leahy said the bill would create a parallel misdemeanor charge for reckless actions that cause harm to computers. " [...] Bob Van Cleef, NASA Ames Research Center (415) 604-4366 vancleef@nas.nasa.gov ------------------------------ Date: Fri, 16 Aug 91 17:40:00 EDT From: elr%trintex@uunet.UU.NET (Unix Guru-in-Training) Subject: Bank Shot (RISKS of automatable documents) Yet another technology-enabled telephone scam -- a telemarketer calls up someone and cons them into reading over the phone the numbers off one of their checks. The cons use this information to print up a "demand draft" which lets them pull any amount of money they want from the victim's checking account. The demand drafts, like checks, are automatable documents, and access to check-printing technology seems to be a plus in pulling this off. Unfortunately, no one has yet called for changes to the technology used in checks and demand drafts. [Remember the Forbes cover story on how easy it is to fabricate a check -- they were able to clear a forged $30,000 check that they manufactured with a color photocopier and a desktop publishing system.] It's kind of scary to think that the banking industry so far finds the threat of massive fraud insufficient motivation to change a technology they're comfortable with. Here's a recent news article on the subject. Note that the words "computer crime" or "hacker" aren't being used, but they would be if the technology involved was owned by a less respectable institution than the U.S. banking industry... A DEMAND TO GUARD CHECKING ACCOUNTS, by Jean Iida, American Banker, NY Newsday, July 25, 1991 A new high-tech telemarketing scam that is stinging banks and consumers is catching the attention of Washington, DC lawmakers. But a proposed law aimed at protecting consumers may do little to limit banks' exposure to the crimes. The drafted legislation would address the problem of fraudulent demand drafts -- a check-like mechanism that can be used to siphon money from checking accounts. Demand drafts, used legitimately by a variety of businesses to collect recurring payments from their customers, are automatic withdrawals from a checking account. Insurance companies, for instance, often use them to collect premium payments. The scam has cost banks and their unwitting customers hundreds of millions of dollars since it cropped up late last year, bankers and investigators said. And despite the big losses, bankers seem to have few ways to combat criminals who use sophisticated check-printing equipment to take advantage of banks' need to quickly process checks and demand drafts. As a result, Congress may pick up the gauntlet. Rep. Ron Wyden (D-Oregon) is proposing legislation that would register and set bonds of about $200,000 for each telemarketer. The bill, for which Rep. Wyden is now seeking comment, could even include restrictions on the types of companies that can buy sophisticated check-printing equipment often used in the crimes. ... Because banks' check-processing operations are so highly automated, it is nearly impossible for a bank to catch a questionable demand draft. "There's no automated way to catch bogus demand drafts," said one banker who asked not to be named. Usually, "you don't know you have a problem until you get the return items, and by then it may be too late." In the scam, whose victims are frequently older people, a telemarketer obtains checking account and other codes found on the magnetic-ink character line of checks, often promising in return cosmetics, prizes, or trips. Later, the consumer may be charged for the goods but receive nothing, or receive the promised goods but find them shoddy. Or victims may find that their checking accounts have been drained of far more money than expected. The consumer may then turn to the bank, demanding a refund. Once a bank has paid funds from a consumer's account to the telemarketer's, the bank is frequently liable. Once a telemarketer knows a consumer's checking account and transit routing numbers, he can use demand drafts as a blank check to withdraw almost unlimited sums of money. But demand drafts are here to stay. Millions of legitmate demand drafts are processed every year. And the proposed measures, such as requiring telemarketers to post bonds, would protect only the first consumer to notice the fraud. Typically, consumers do not know they have been victimized until after they receive their monthly bank statements. "The problem is how high do you go" in setting a bond, Barker said. "Some telemarketers got $1.7 million in small amounts in six weeks." Ed Ravin eravin@panix.com philabs!trintex!elr ------------------------------ Date: Mon, 19 Aug 1991 08:15:02 PDT From: Rodney Hoffman Subject: Misuse of computerized auto registration info Precis of a `Los Angeles Times' article by Paul Jacobs headlined ADDRESSES AT DMV REMAIN ACCESSIBLE (August 19, 1991, page A3): The California Department of Motor Vehicles regularly opens its address files to 14,000 businesses and individuals, many of whom have direct access to the DMV's computerized files. Audits found unauthorized use and other problems in more than 25% of a recent sampling of these accounts. None have yet been prosecuted. In the wake of a 1989 murder of an actress in which the accused killer used automobile registration records to track down the victim, California enacted a new law restricting access to DMV information. However, the law exempts banks, insurance companies, car dealers, wrecking yards, and process servers. Virtually anyone can register as a process server for less than $100. A black market in DMV data has developed. There have also been some cases of DMV employees altering or misusing data. In one recent case, Edward Jack Vijfvinkel is alleged to have misrepresented himself as a private investigator and paid $50 to open a DMV account. He is said to have used license plate numbers to get addresses and other information which he used to write to women he spotted while driving. One woman received a letter saying in part, "I'll give you one week to respond or I come looking for you." A letter to another woman said, "I looked for you though all I knew about you was your license plate. Now I know more and yet nothing. I know you're a Libra but I don't know what it's like to smell your hair while I'm kissin' your neck and holding you in my arms." The woman called the police. Vijfvinkel bragged to the arresting officer that he could find anyone with a license plate. He had in his possession the book, `You Can Find Anyone.' ------------------------------ Date: Sun, 4 Aug 91 04:16:12 PDT From: gnu@toad.com (John Gilmore) Subject: Risk of licensing programmers -- lost freedom and creativity I can't believe all the people who are posting in RISKS that they like the idea of government mandated licensing of the software craft. (I don't care if you call it designing, engineering, programming, or hacking.) What ever happened to the idea of freedom of speech in software? Maybe I'm just an old-timer, but while "some of my best friends" came into software through traditional college courses, most of the best, brightest, and most inventive programmers I know became programmers without formal training. The fathers of the computer revolution you are now staring at and typing to, were able to make the great strides they did, in an incredibly short period of time as measured against any other industry, because there was nobody to say "no, you can't do that". Why would anyone who has the equipment and training that permits them to read this message, want to squelch such creativity and productivity gains for the entire society? I've heard all the drivel about raising standards and driving out the low quality practitioners. Right. What it really does it makes it more painful for *everyone* to enter the industry -- the best *and* the worst. It creates a monopoly, ruled by an old boys' "board of licensing" who entrench their idea of proper programming. It's a good thing this bill didn't pass during the "Goto considered harmful" phase, or it might have ended up "Goto considered illegal" and stuck us programming in Pascal forever. (I also note that the explosion of C programming in the last ten years was mostly among people on micros who typically hadn't programmed before. E.g. if you were required to go through college to be allowed to try C, you wouldn't bother, since the college courses of the time taught Pascal and Fortran; you'd have already been taught how to constrain your thinking to what was possible in inferior languages.) By the way, I never went to college at all. Among the three co-founders of my current successful software startup company, only one of us has a degree - and it isn't in computers (I think it's history). And while I am really very talented with computers, if continuing to work with them means getting a government license, I'll just retire on what I've already made in computers, and start exploring one of the other ten or twelve things I've never had time for. I mean, we turn down government contracts now just over the added paperwork! Did you notice in the bill that it allows people to gain a license to be a programmer even if they don't go to an "approved" college? But it requires years of work experience -- which will be illegal to get after the bill passes. Essentially a grandfather clause disguised as an alternative route. It means that the bright kids and 20 year olds and 30 year olds who currently wander into programming from chemistry or physics or MCAD or library science, or bartending (I know a few!), will be banned from the industry. I'd really rather not replace these talented, motivated people with drones who learned how to take tests and warmed a seat in some state college for four years. We need more interdisciplinary people already -- you want to cut the supply to a tiny trickle of those who're willing to sit through two or three entire courses of formal study? My reaction to the NJ bill was: O boy. Now the programmers will all get upset at it, and not only can we kill off this stupid bill, but perhaps while we're incensed, we can even repeal some of the other ridiculous occupational licensing that's already on the books -- like hairdressers, barbers, car mechanics, etc. If you really care about this issue, I recommend that you implement it in your personal life without waiting for the government. Only buy computers designed by licensed and bonded EE's. (Hint: your SPARCstation is not one of them.) Only buy software that was written by programmers who passed the CDP exam. (Better send back Unix, Emacs, Lotus 1-2-3, and Usenet.) I don't think TCP/IP was designed by registered communications engineers either. (Maybe OSI was -- it has that smell.) Well, you can always run DOS -- ahem -- uh, Bill Gates *started* college, but I don't think he ever finished it. Too busy making better products than all those people who wasted four years. But maybe he *hired* a lot of fully certified licensed degreed people to write the code. Or maybe not. Don't forget to restrict your reading to government-approved writers, and your thinking to government-approved thoughts. Sometimes I think the worst mistake the founders of our country made was giving governments the power to control commerce and trade. John Gilmore, Cygnus Support ------------------------------ Date: Fri, 16 Aug 91 13:01:03 CDT From: rdd@cactus.org (Robert Dorsett) Subject: A320 revisited [This is a re-worked sci.aeronautics reply to a comp.sys.mac.programmer post. It's somewhat relevant in its RISKS-of-RISKS aspects...] And Mr. Finnegan wrote: >The Airbus suffers from what many software safety experts consider a major >design problem - it uses redundant flight computers and a polling computer >to pick the 'majority' answer to each input (I forget the technical term >for this theory -- it's been way too long since I've been immersed in stuff >like this in school/industry). This system is used because some CS people >think polling can replace stringent software testing - if 5 s/w teams all >write code to the same spec and test just a little, the polling computer (if >it is calibrated properly - another issue) statistically should be able to >deduce the proper answer and weed out any incorrect input. Needless to say >many experts aren't convinced. The A320 flight control system is comprised of five computers: two elevator and aileron computers (ELAC) and three spoiler and elevator computers (SEC). The computers use diverse software and hardware implementations: the ELACS are based on the 68000 and Pascal, the SEC's on the 80186 and C. At any one time, there is *one* and only one "hot" computer, and one standby computer. Each computer is actually a combination of two "channels," one microprocessor driving each channel. One such channel is a "command" channel; the other is a "monitor" channel. Each is responsible for guaranteeing the output of the other. The command channel was written in a high-level language; the monitor channel was written in assembler. The ELACS are the higher-level computers, providing all the functionality as- sociated with the complete FBW pilot interface (there are four distinct direct- control flight modes the A320 can be in). ELAC1 is the primary computer. Graceful degradation is accomplished, going from ELAC1 to ELAC2 to SEC1 and so forth. The SEC computers provide a "direct" control law, in which sidestick deflection more or less correlates to control surface movement. SEC3 only controls roll. The pilots can also command switching from one computer to another. Various means (checksums, range tests, time-outs, etc) are used to determine computer robustness. If the checks fail, the computer takes itself off-line. SEC and ELAC development teams were isolated, and prevented from communicating with one another. This was intended to prevent teams from "contaminating" each others' code with common approaches. Any problems theoretically will only arise from the *specification,* although it's entirely probable that each team opted for similar approaches to solving problems. The software and hardware verification regime was performed in accordance to EUROCAE/ED-12A. This is virtually identical to RTCA/DO-178A. The overall system design is fault-tolerant. Considering the need for hardware and software diversity, I really can't see a credible way of implementing this thing, other than a loosely-coupled, asynchronous network--which precludes anything much more sophisticated than polling by client services. In general, the A320 Electronic Flight Control System (EFCS) is a bit too complex to be condemned by a broad statement that it uses "polling." The A320 does not use a "judging" computer such as you describe; clients are partially responsible for minor things such as parity or range checking on the single inputs from the currently active flight control computer. What you seemed to be indicating is more akin to how the *Space Shuttle* works, i.e., having a "majority rules" system of verifying hardware integrity. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = I suppose I should put a big caveat on all my gripes about the A320 over the past three years: yes, I do think the airplane is unsafe. But no, I do not believe that slipshod work went into its design and construction. There is much to suggest that the design of the A320 EFCS represented a quality control system unprecedented in the industry, and which utilized the best techniques of the time. One might quibble with some isolated aspect of it, but the overall approach was sound. My major problem with the *reliability* aspect of the system is Airbus's claim of being able to satisfy the "one catastrophic failure every million hours" clause for flight control systems in the Federal Aviation Regulations. Airbus can't prove it. Moreover, the FAA requirement for the 1e-9 figure explicitly does *not* apply to flight control *software*, even though it applies to flight control *systems*. Draw your own conclusions. There is also sufficient cause to doubt even our best software engineering techniques. This is an issue that many people like to ignore, assuming that, of course we can produce "perfect" software; if it doesn't work, then somebody must have screwed up. NOT true. IMHO, this sort of thing doesn't belong in a civilian airliner--yet. Airbus proudly points to its revolutionary airplane, but *revolutionary* anythings are rarely well-understood. Related effects of their decision to use FBW-- namely, in the form of the pilot interface--will cause other problems. But Airbus set a precedent, and created a marketing force in the process. Now, other companies have to raise the stakes, too, or risk losing market share. Airbus is extending the A320 EFCS model to include the A330 and A340; Boeing's developing a "tower" (geographically localized hardware) system for the 777. Lastly, there *is* a lot wrong with the A320. But I'm also noticing a lot of scapegoat-bashing going on. The A320's problems are fairly well defined, and need to be corrected. Let's NOT assign our favorite software-engineering pet peeve, arbitrarily, to such a large and accessable target. I'm not addressing this to you in particular, Greg; it's become pretty frequent over the past few months. Robert Dorsett rdd@cactus.org ...cs.utexas.edu!cactus.org!rdd [References available on request.] ------------------------------ Date: Mon, 19 Aug 91 15:54:02 EDT From: smb@ulysses.att.com Subject: Re: Procter&Gamble (RISKS-12.13) It's not just the computerized risks -- apparently, the police officer running the investigation is a part-time P&G security consultant. And no one at either the company or the police department seems to think that there's any conflict of interest. ------------------------------ Date: Mon, 19 Aug 91 12:24:19 LCL From: Paul Mauvais Subject: Re: FSF machine having to clamp down on security (RISKS-12.12) I have heard from someone that Richard Stallman was interviewed on TV after the anonymous accounts were shutdown, and during the interview, several people noticed that his root password was written on the white board behind him, in plain view of the TV camera. Needless to say, it was changed soon after this was realized.... Always nice to have one's root password broadcast to a few million people. Talk about RISKS.... ------------------------------ Date: Mon, 19 Aug 91 21:14 GMT From: NSIL LCM <0004222127@mcimail.com> Subject: Re: "locking" DoD smart weapons (RISKS-12.13) I would rather not spend unbelievable amounts of money on making smart weapons smart enough to know whether they are being fired by the enemy. That runs to the opposite idea, first, that smart US made weapons should NEVER kill the allied forces; thus eliminating Friendly Fire kills. Instead, let the DoD spend a few dollars making innovative things that will explode WHENEVER they are used, and then tell the allies what to look for in the boobytraps. For example, you could mark alot of hand grenades M27A3 instead of M27A1; the A1 variety go off as expected, but the A3's will detonate when the safety pin is removed (without even losing the spoon). Granted that would be rather rude, however, consider that our enemy would suddenly think, hesitate, and perhaps even abandon the idea of using ANYTHING we leave behind. Better that than dropping leaflets... Guy Sherr, Lab Configuration Manager, MCI NSIL, Reston, VA Voice: (703)648-8645 (Vnet 262) ------------------------------ Date: Mon, 19 Aug 91 19:55:08 GMT From: MEDELMA@CMS.CC.WAYNE.EDU (Michael Edelman) Subject: Re: Rumor regarding Soviet calibers The most recent issue of comp.risks [RISKS-12.13] repeated a classic bit of modern arms folklore: That Soviet weapons are designed with calibers slightly larger than US arms so that Soviet arms may fire US ammunition, but not vice-versa. Although this story has been repeated for years, most noteably in Alexander Cockburn's book on defense (itself a wonderful source of misinformation), it is most assuredly false. It probably has its origins in the fact that some Soviet arms have odd sizes- like the "121mm mortor". This, according to Suvarov, is to avoid confusion of mortar rounds with gun rounds. While there is a 120 mm gun and a 121mm mortor, both are actually 120mm. There has never been a Soviet infantry rifle that would safely fire US issue ammunition. Fitting ammunition to a rifle is a critical matter; an error of a few thounsandths in headspace can create a lethal hazard. --mike edelman ------------------------------ Date: Thu, 15 Aug 91 08:15:54 MST From: waters@nddsun1.sps.mot.com (Strawberry Jammer) Subject: More Credit Bureau Risks In Risks a few weeks ago was an account concerning someone's problems with the automated credit bureaus. I read it with a little bemusement thinking "it cant happen to me". I soon learned better, that same day I received a rejection notice for a credit card application. The reason? Bankruptcy. BANKRUPTCY? I haven't filed bankruptcy nor do I even plan to, and you would think that *I* would know about it. The credit bureau checked and responded "yes thats correct - tough" (in so many words). It took a letter to my U.S. congressman to get to the bottom of it. It seems my EX-WIFE had filed bankruptcy and two of our former joint accounts were reporting "a party on the account is bankrupt". TRW interpreted this to mean "liquidated through bankruptcy", and LO! I too had no credit! TRW (under presure) has agreed to remove the items from my credit report, but when I next pay my mortgage and they report the on time payment, who knows what will happen! Watch out, folks, it CAN happen to you! Mike Waters, waters@nddsun1.sps.mot.com ------------------------------ Date: Thu, 15 Aug 1991 08:09 EDT From: "E. M. Culver x5416" Subject: RISKS of calling 911 from cellular phones I have wondered what happens when you call 911 from a cellular phone. In Connecticut, you get the State Police who will (maybe) help you. 911 coverage here approaches 100%, so calling 911 from a cellular phone is not necessarily silly. Somebody tried, nobody got hurt and the human side of the system did not work... [Digested from "Cellular Caller Gets Runaround Reporting Fire", New Haven (Connecticut) Register, 13 August 1991. I removed the individual names.] A Wallingford, Connecticut woman called to report a fire in her public housing duplex on August 9 (at about 11:45am) by calling 911 on her cellular telephone. In Connecticut, 911 calls from cellular phones are routed to the nearest state _State Police_ barracks. The State Police dispatcher told the woman "This number is for state police emergencies only. You have to call 1-411 {the information number } and get the number of your local fire department." Fine--she did that. The Wallingford Fire Department's dispatcher told her to call 911..... In frustration, she called the Wallingford Police, told the story and waited. After a few minutes (this was less than a mile from the fire house) she concluded the Fire Department had not been told. She called the fire department again, saying "My house is burning down and nobody's going to come?" and getting agitated. About 25 minutes after the call to 911 the fire trucks arrived. A maintenance worker sent by the housing authority had already put out the fire. There were no injuries. The Fire Chief said the Fire Department is instituting a policy change so dispatchers will handle emergency calls on non-911 lines instead of directing callers to dial 911. The State Police get 911 calls from cellular phones because these calls are usually report traffic accidents. State Police dispatchers are supposed to route fire calls to the appropriate local fire department. 911 calls made from regular phones can be traced to the physical address from which the call originated--either the old fashioned way or with an advanced form of caller ID, which give the dispatcher the physical address of the phone originating the call. ------------------------------ Date: Thu, 15 Aug 91 10:01 CDT From: Dan_Jacobson@ATT.COM Subject: Book: "Narcissistic process and corporate decay..." Interesting sounding book: Howard S. Schwartz. Narcissistic process and corporate decay : the theory of the organization ideal. New York University Press, c1990. xiv+151 pp. ISBN 0-8147-7913-1. Corporate culture; Organizational behavior; Challenger (Space shuttle)--Accidents; General Motors Corporation--Management; U.S. National Aeronautics and Space Administration--Management. PART ONE - The Theory of the Organization Ideal 1 The Clockwork or the Snakepit: An Essay on the Meaning of Teaching Organizational Behavior 2 On the Psychodynamics of Organizational Totalitarianism 3 Antisocial Actions of Committed Organizational Participants PART TWO - Organizational Decay and Organizational Disaster 4 Totalitarian Management and Organizational Decay: The Case of General Motors 5 Organizational Disaster and Organizational Decay: The Case of the National Aeronautics and Space Administration 6 On the Psychodynamics of Organizational Disaster: The Case of the Space Shuttle "Challenger" PART THREE - American Culture and the "Challenger" Disaster: A Historical Perspective 7 The Symbol of the Space Shuttle and the Degeneration of the American Dream 8 Conclusion: Addiction and Recovery ------------------------------ End of RISKS-FORUM Digest 12.14 ************************