20-Mar-86 18:09:25-PST,14334;000000000000 Mail-From: NEUMANN created at 20-Mar-86 18:05:49 Date: Thu 20 Mar 86 18:05:49-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-2.32 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Thursday, 20 Mar 1986 Volume 2 : Issue 32 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Om/Comm-ission, and analysis of risks (Niall Mansfield) RSO's and IIP's (Dave Curry) Complex systems ru(i|n)ning our cities (Mike Mc Namara) Re: Two more mailer problems (Bernard S. Greenberg) Banknotes for the visually handicapped (Nigel Roberts, Barbara E. Rice) Psychological and sociological consequences (Harald Baerenreiter) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j stored in SRI-CSL:RISKS-i.j. Vol 1: MAXj=45) ---------------------------------------------------------------------- Date: Thu, 20 Mar 86 12:30:42 n To: risks@sri-csl.arpa From: Niall Mansfield Organisation: European Molecular Biology Laboratory Postal-address: Meyerhofstrasse 1, 6900 Heidelberg, W. Germany Phone: (6221)387-1 [switchboard] (6221)387-247 [direct] Subject: Om/Comm-ission, and analysis of risks It is often difficult to decide whether an action carried out really is a fault of omission or commission. As is so often said, many program failures are due to not considering a possible set of circumstances, which when it occurs causes the program to act improperly. In such cases, the damage is certainly an act of commission, but the real failure is the omission to predict the failure. I think that any attempt to distinguish formally between om/comm-ission is likely to lead to sophistic arguments distracting attention from the real cause of the problem. Another unproductive approach seems to be suggested by something PGN said in RISKS-2.27: > A fine example of the risks having to include people, not just > computers, and of a more pervasive role of the computer than meets > the eye -- indeed a more human-oriented computer system might have > helped! Thus, even though it appears NOT to be a computer problem, > we discover that the computer could have done better! There are very few cases where a system which has failed could NOT have done better, so saying it doesn't advance our understanding. It seems that because RISKS is about computer risks, then we will do our best to find a computer cause for every failure. (Remember the immediate speculation after the Shuttle disaster about how a computer could be shown to be responsible). Surely RISKS should concentrate on failures that occur because of computer involvement but which would not have occurred with a human-only system, because systems are always going to fail. As Murray.pa@xerox pointed out in RISKS-2.21, there are risks involved in not using computers, where such use can lead to saving lives: if a system is doing superb work 99% of the time, it is fruitless to pick on the 1% failure, and jump on the bandwagon saying "Ohhhhhh, the computer's run amok, isn't it terrible". We must keep risks and benefits in perspective. As PGN finished off: > But, of course, don't blame the computer system. > Blame the people who specified, designed, and > implemented it -- not JUST the train operator(s). This is the heart of the matter - we are looking at the risks (presumably) so that we humans, the makers of systems, can avoid the same mistakes, not just for the malicious pleasure of beating the drum about somebody else's shortcoming. (So maybe I don't disagree with PGN after all). ------------------------------ Date: Thu, 20 Mar 86 07:44:56 EST From: davy@ee.purdue.edu (Dave Curry) Message-Id: <8603201244.AA29624@ee.purdue.edu> To: mooremj@eglin-vax.arpa Subject: RSO's and IIP's Cc: risks@sri-csl.arpa One thing keeps nagging at me after reading your explanation of RSOs and IIPs. I suspect it's more from my lack of knowledge about trajectories and launching things and such than anything else. Anyway, here goes... You said several times that if the IIP ever crosses the "safety lines" then the missile should be destroyed. What I'm confused about is this: does this mean that under "normal" circumstances the IIP never crosses these lines, or do you mean the missile should be destroyed only if something is "wrong"? It seems to me (again I know very little about launching things and such) that if the IIP can never go "that way" then you are limited in the directions you can send a rocket (come to think of it I guess I've never heard of a launch going "back" over the U.S. to get somewhere...). Also, where does the consideration of the IIP stop? Something sticks in the back of my mind that the shuttle flies over land masses (isn't there someplace in Rota, Spain where they can abort?). If it does, does this mean the IIP itself never touches the land masses, or does the IIP become less important after the missile reaches a certain speed/altitude/trajectory? Thanks, --Dave Curry ------------------------------ Date: Wed, 19 Mar 86 19:07:42 pst From: lll-lcc!tflop!mac@lll-crg.ARPA (Mike Mc Namara at ESL Sunnyvale Ca) To: RISKS@sri-csl.ARPA Subject: Complex systems ru(i|n)ning our cities In pursuit of new directions for the RISKS forum, and in response to a recent article in the New Yorker Magazine, I bring up the subject of the risks inherent in the complex systems in which we live. We've probably all heard talk about how few hours New York City could survive without power/ water/subway/ etc, but perhaps it is worth discussing in this forum. The article in the NYM is written from the perspective of a resident of a self-sufficient rent controlled apartment in the Village, who feeling quite smug about his castle, suddenly notices all the holes in the wall. There is the hole letting in electricity, the one for natural gas; there are lines for taking out the sewage, and lines bringing in fresh water. This writer wonders where these lines lead. He then takes us along in his search to James Bay in Canada, where New York gets some of its electricity from hydroelectric plants. He takes us to Arizona, where some of the uranium for the Indian Point reactors is mined. He takes us to Brazil, where Con Ed gets the low quality diesel oil to burn to make electricity. Similarily, he takes us upstate to the many reservoirs which supply New York with its world famous water. He follows the gas mains to Louisiana. And so on. I offer to the risk readers the question, How intelligently are we managing the risks assumed by the creation of our complex cities? We build systems so that millions of people can live in areas that are really deserts. What risks exists because of the creation of a L. A. that relies on 500 mile aqueducts to supply life-critical water? Who is in charge of insuring adequate safe guards? Budget conscious, 2 year term politicians, or life time members of water boards? The ramifications of any single failure of a utility system can probably be maintained via such a board that takes the long view and has the capitol to implement long term strategies. But what about the interdependencies of utilities? What would a water shortage do to a nuclear power plant, that perhaps required cooling water that simply wasn't available? What would a collapse of the telephone system do to a natural gas distribution system that used remote pressure regulators that were controlled via telephone links? What organizations exist to worry about such things, so I rest assured that there is no problem, and get some sleep at night? What inter-system crashes are the readers aware of, that they might share with this list? ------------------------------ Date: Thu, 20 Mar 86 11:15 EST From: Bernard S. Greenberg Subject: Re: Two more mailer problems To: RISKS@SRI-CSL.ARPA Date: Wed 19 Mar 86 17:54:33-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Date: Wed 19 Mar 86 16:34:28-EST From: "Sidney Markowitz" Subject: Two more mailer problems To: risks@SRI-CSL.ARPA 1) I did not personally see this, but I was told that Symbolics briefly introduced a new feature in their mail program with the current release of the operating system. It was a new header line that a sender could use to include graphics as part of the mail message. This was implemented by having the header line include a lisp expression that would be evaluated (executed) when the receiving mailer loaded the message for display. Somebody pointed out the other possible ways in which an arbitrary piece of executed code in a mail message could be used, and that feature was dropped very quickly. This is utterly and wholly false. No one here would be so naive. Bernard S. Greenberg, Symbolics, Inc., Cambridge, Mass. ------------------------------ Date: Thursday, 20 Mar 1986 01:59:05-PST From: roberts%forty2.DEC@decwrl.DEC.COM To: risks@sri-csl.ARPA, roberts%forty2.DEC@decwrl.DEC.COM Subject: Banknotes for the visually handicapped (RISKS-2.31) The Netherlands uses a similar system of raised impressions. High denominations are distinguished by different symbols (e.g. the H.Fl 50 note has a raised triangle, while lower notes such as the 10 and 25 have dots). I'm afraid I don't know what the new H.Fl 1000 notes have --- I don't see them very often :-). Britain, on the other hand simply uses different sizes of paper for different denominations, as does West Germany. Nigel Roberts, Reading, England [Different sizes of paper don't help the visually handicapped discriminate copy-machine products from originals.... PGN] ------------------------------ Date: Thu, 20 Mar 86 10:51:27 est From: rice@nrl-csr (Barbara E. Rice) Message-Id: <8603201551.AA00237@nrl-csr.ARPA> To: RISKS-Request@SRI-CSL.ARPA Subject: Banknotes for the visually handicapped With all the talk about fooling the visually impaired by altering raised marks on bills or the magnetic ink, has anyone considered how small a population they are dealing with? My uncorected vision went beyond legally blind twenty years ago and has continued to go down hill since then. Without my glasses I can not see the eyechart much less any letters on it (with my glasses I can just scrape by a driver's eye exam). So I conducted a test here with my glasses off I was able to distinguish between a five and a one dollar bill at 6 feet (much further than arm's length). So the population that could be fooled by such means I would say is relativlysmall, too small to it be worth anyones time and effort to steal from them. It would also be risky. Most people remember where it is that they get money from and where they have bought things. Anything larger than a $20 I definitely know where I got it. The error would be picked up by any sighted person dealing with the blind person not just an expert in conterfeit detection thus the altered bill would be rapidly discovered. So a person using this scheme would have to be constantly on the move and not collecting very much for his efforts. For most large puchases people use creditcards or cashiers check. Purse snatching or mugging would yield a better risk and effort vs profit ratio. The point I hope I made is that thinking of methods to get around marking intended to help the blind is an interesting mental excercise but none of the methods thought up is a reason for not putting aids to the blind on currency. (really a blind customs agent? How many are there and how would you guarentee you got him? With my luck he would call in sick that morning and then I would really be in trouble.) A better reason for not using such aids is the small number of people who would benefit by it, but then you should consider the number of would be conterfeiters it might frustrate into trying other means of getting rich quick. That would be a good systems trade off problem. [Come on, now. You think the example of the blind customs agent was serious? I was trying to give you an example where reducing the value consituted a risk. The problem is one of vulnerabilities. Pacemakers and automobile microprocessors are fine. But there are some very serious risks that must not remain unconsidered. Of course there are advantages to currency interpreters. But are they designed so poorly that they accept blank pieces of paper with funny symbols embossed on them? Do they introduce new risks that never existed before? PGN] ------------------------------ Date: Thu, 20 Mar 86 11:27:54 cet To: NEUMANN@SRI-CSL.ARPA From: ERA01%DHAFEU11.BITNET@WISCVM.WISC.EDU Subject: Psychological and sociological consequences ReSent-To: RISKS@SRI-CSL.ARPA We are preparing a study about the psychological and sociological consequences if young people have intensive contacts with (home-) computers. So, we are looking for empirical studies (in wide spread) dealing with that subject. Especially we are searching for articles about - different methodological approaches (e.g. analytical, ethnological, qualitative and quantitative aspects ...) - empirical designs and ideas - results. If you have any information (or know anyone who has) please help us. Contact HARALD BAERENREITER, Fernuniversitaet, Arbeitsbereich Allgemeine Soziologie, Postfach 940, D-5800 Hagen, F.R.G., or NETMAIL to FROM: field. Thank you for being so helpful. Harald. ------------------------------ End of RISKS-FORUM Digest ************************ -------