8-Apr-86 21:19:15-PST,12021;000000000000 Mail-From: NEUMANN created at 8-Apr-86 21:15:55 Date: Tue 8 Apr 86 21:15:55-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-2.38 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Wednesday, 9 Apr 1986 Volume 2 : Issue 38 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: The UK Driving Vehicle Licensing Centre (Brian Randell) Computer crime wave (Chris Hibbert) Programming productivity (Herb Lin) Request for information about military battle software (Scott E. Preece) Aviation Week Technical Survey: AI & Aviation (Werner Uhrig) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j stored in SRI-CSL:RISKS-i.j. Vol 1: MAXj=45) ---------------------------------------------------------------------- From: Brian Randell Date: Tue, 8 Apr 86 12:03:45 gmt To: RISKS@sri-csl.arpa Subject: The UK Driving Vehicle Licensing Centre Several newspapers and magazines here have carried stories about the alleged activities of hackers regarding the Driving Vehicle Licensing Centre - a very large computer system that has received much bad publicity in the press and in parliament over the years because of cost over-runs and delays. Here is a sample, from the April 1986 glossy journal "Business": "Computer hackers have been running a brisk racket "cleaning up" the driving licences of wealthy business men. For a charge of [pounds] 100 a point endorsements have been erased from the files of the British Government's Licensing Centre at Swansea and its supposedly impenetrable computer ordered to issue new licences. Drivers who accumulate 12 penalty points within 3 years are liable to ban or disqualifications. Reckless driving, for instance, attracts 10 points; failing to stop after an accident 5.9 points; drunken driving 10 points (plus a 12 months disqualification). Drivers' records at Swansea are held on the Department of Transport's 3081 Model G mainframe, whose manufacturers, of course, are not responsible for its customers security procedures. About a year ago, an access code number appeared on at least four "bulletin boards" - informal computer games and information exchange facilities set up and used by home computer enthusiasts (not in this instance mischevious schoolboys). "I am not suggesting the number on the board was that of the DVLC", says a source, "but it gave you access to a database with levels of password protection. It was obviously a secure system and was related to DVLC because the name headed the file. The access was not very privileged but knowing the procedures allowed priority in the system and enabled you to eliminate endorsements and order new licences to be issued." Amendments to the DVLC mainframe were automatically carried through to the back-up records kept on magnetic disc storage." Such stories have inspired denials from the DVLC - for example in Datalink: "The Driving and Vehicle Licensing Centre in Swansea has denied press reports that computer hackers have broken into its database and wiped traffic offenses off driver records. The DVLC, which employs 1500 staff in a computer centre running a variety of kit including two IBM 3083s, is adamant that its system is secure from outside interference. "We have no dial-in facility, there's no electronic access at all from off-site," a spokesman said. Some 160 programmers work at the DVLC, and the spokesman admitted that officials are "looking at internal arrangements" to see whether files have been amended in return for payment." My cynical view is that from most other sources such a denial would be immediately accepted, and indeed it may well be true. However the thought that such record tampering just might be going on, and so allowing banned drivers back onto the roads, is a worrying one. Cheers, Brian Randell - Computing Laboratory, University of Newcastle upon Tyne ARPA : brian%cheviot.newcastle@ucl-cs.arpa UUCP : !ukc!cheviot!brian JANET : brian@uk.ac.newcastle.cheviot ------------------------------ Date: Wed, 2 Apr 86 10:53:29 PST From: Hibbert.pa@Xerox.COM Subject: computer crime wave To: RISKS FORUM (Peter G. Neumann, Coordinator) There was an article in the March 31, 1986 edition of the Washington Post's National Weekly Edition titled "The Computer Crime 'Wave': It's more politician's bark than our byte". After an initial few paragraphs in which the writer reminded us that "national commissions that are set up to study and report on This Trend or That Issue always end up concluding that the trend/issue in question is a bigger national problem than anybody ever imagined", the article reported on the "First Annual Statistical report" from the National Center on Computer Crime. "Over a two year period, the national center surveyed 130 prosecutor's offices in 38 states and asked how many computer crimes each office had encountered. ... The national center's survey of prosecutors came up with a grand total of 75 reported 'computer crimes.' Even that minuscule number, it must be noted includes some infractions that can only be classified 'computer crime' if you stretch the language considerably. One reported case involves ... a county prosecutor ... who got a friend in the motor vehicle department to delete two speeding tickets from his driving record. This is labeled 'computer crime' because the record was on a computer tape... In short, this first national census says that 'computer crime,' by any stretch of the definition, is a statistically minute phenomenon. The antics of a few hackers have garnered grossly disproportionate attention from the media and the law-enforcement community. So-called 'computer crime' is novel and exciting, so it's hardly surprising that even a few cases would attract considerable notice. But Legislators around the country are acting as if there really is a 'computer crime' problem. The center's study shows that 22 states passed new 'computer crime' legislation in the past two years. ..." Chris ------------------------------ Date: Sun, 6 Apr 1986 23:45 EST From: LIN@XX.LCS.MIT.EDU To: risks@SRI-CSL.ARPA Subject: Programming productivity From: ihnp4!utzoo!henry at seismo.CSS.GOV I went and re-read Terry Winograd's old "Reactive Engine" paper. He comments, roughly: "If, by decree of God or ARPA, we were only allowed to run one user at a time on the PDP-10, just think of all the effort that would be invested in making that one user's time productive." Despite the enormous increases in computing power available to individual users since then, that has not happened: much of that extra power is simply being thrown away. True enough. But why do you think that large amounts of effort invested would necessarily improve productivity? Despite long practice, for example, people can hold only a few ideas simultaneously in short term memory. There are mnemonic aids available, but they don't enable someone to do hundreds of times better. I use this analogy because there is some evidence that limitations on short-term memory account for a variety of cognitive limitations, among which may be programming. Ultimately, it may the limitations of the human mind that prevent us from forever expanding our achievements. How many programmers, even ones working on life-critical software like airliner flight control or fiercely difficult problems like ballistic-missile defence, have the kinds of electronic and human support that these thoughts suggest are possible? That's easy. Not many. Indeed, military software procurement is by all accounts an utter mess. ------------------------------ Date: Mon, 7 Apr 86 09:43:05 cst From: preece%ccvaxa@gswd-vms (Scott E. Preece) To: RISKS@sri-csl.arpa Subject: Request for information about military battle software > [Parnas, quoted by Dave Benson] > The other members of the SDI advisory panel that David Parnas was on > and other public figures have said "Why are you so pessimistic? You > don't have any hard figures to back up your claims." Parnas agreed > that he didn't have any until he thought of the only one that he > needed: ZERO. ZERO is the number of real systems that were trustworthy > at first use. ZERO is the number of real systems that met unknown > requirements at first use. ZERO is the number of prototyped systems > that worked at first use. ZERO is the number of simulated systems that > worked at first use. ZERO! ---------- There are two essential, undefined terms in this statement: "first use" and "worked". The shuttle Enterprise, for instance, worked the first time they dropped it from its carrier 747. Was that its "first use", or do you count the many hours of simulation preceding that first flight? I wasn't there and have no idea whether there were bugs that showed up, but they clearly didn't keep the test from succeeding. Is that "working"? The trouble with a debate like this is that it tends to force people more and more into idiotic dichotoomized positions. SDI software would obviously be a huge challenge to produce and validate. I have no hope it would work perfectly the first time used; I have no reason to believe it wouldn't work partially the first time it was used. The question of how perfectly it has to work is the central one. All the reports I've seen on both sides, including Parnas's essays, are hand waving. The task is too ill defined to be making statements about whether it can be done. The debate is silly. If you build the thing, you don't trust your security to it until you have been damned well convinced that it works; I am unwilling to accept the statement that "You can never be convinced that it works," when daily we all trust our lives dozens of times to things that we have been convinced work. There are plenty of good and, I think sufficient, arguments for not building SDI without claiming that it can't be done. -- scott preece gould/csd - urbana ihnp4!uiucdcs!ccvaxa!preece ------------------------------ Date: Tue 8 Apr 86 11:06:41-CST From: Werner Uhrig Subject: Aviation Week Technical Survey: AI & Aviation To: aviation@R20.UTEXAS.EDU, risks@R20.UTEXAS.EDU Message-ID: <12197222935.31.CMP.WERNER@R20.UTEXAS.EDU> [ I am sure, readers of AVIATION and RISKS are interested also; for somewhat different reasons, of course .... ---Werner ] --------------- Date: Wed 26 Mar 86 09:08:28-PST From: Oscar Firschein Subject: Aviation Week Technical Survey AILIST readers might be interested in the following: Aviation Week and Space Technology, Feb. 17, 1986 has a technical survey of artificial intelligence, mostly applied to military applications. Included are the DARPA-supported programs in Pilot's Associate and the Autonomous Land Vehicle (ALV) and the VLSI lisp machine being built by Texas Instruments. Company profiles include McDonnell Aircraft's work in the Pilot's Associate and avionics maintenance expert system; Boeing's AI Center; MITRE's work in natural language understanding; Grumman's decision support systems; Hughes AI center; and Westinghouse avionics troubleshooting expert system. ------------------------------ End of RISKS-FORUM Digest ************************ -------