3-Jul-86 20:23:09-PDT,18335;000000000000 Mail-From: NEUMANN created at 3-Jul-86 20:20:55 Date: Thu 3 Jul 86 20:20:55-PDT From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-3.17 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Thursday, 3 July 1986 Volume 3 : Issue 17 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: How Much Computer Literacy Is Enough? (JAN Lee) Working within the system (Rich Cowan) Re: [Airwaves &] Security -- SDI (Herb Lin) Complex issues, complex answers (Bob Estell) Politics and Engineering Practice (Seifert) Multiple copies of RISKS-3.16 (Kenneth Sloan) GTE Sprint billing problems (Chuck Weinstock/Lee Breisacher) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j available in SRI-CSL:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Date: Wed, 2-JUL-1986 11:46 EDT From: To: Subject: How Much Computer Literacy Is Enough? ReSent-To: RISKS@CSL.SRI.COM I would like to open a new area for discussion, that I hope can involve three elements of the audience: educators, workers, and philosophers, but hitting at what I believe to be a fundamental element of the "Risks to the Public" concept. It is the area of teaching programming. Over the past several years there has been a salutory movement in the presentation of first course material away from a course in the syntax of BASIC (etc.) to a course which is now entitled "Computer Literacy". There are numerous textbooks available (25 as of my count published since last Fall alone!) and the topics seems to fall into four basic areas: (1) An overview of what a computer is -- including hardware and software, (2) An excursion into the applications of computers in various fields (which can be tailored to specific student's interests), (3) The social impacts of computers on the world (hopefully including something about risks), and (4) Exposure to some elementary activities such as Word Processing, Spreadsheets, Graphics and/or Data Bases. This organization I support strongly for those for whom this is likely to be the only course they will ever take in this area, and it's not bad also for those who might go on and take a programming course later -- at least they get the background needed for a better understanding of the issues. NOW FOR MY PROBLEM: We have taught such a course for about four years (since the advent of the PC) and have been pleased with the results, one of which is to strip these students who merely need an exposure to the field out of the later programming courses. HOWEVER, in the normal review for a new course, we were refused approval to continue offering this course unless we included "real" programming. Many departments on campus want to have their students only take one CS course and to be able to program (mostly in BASIC) problems in application areas afterwards. To do a plausible job of teaching programming (to my way of thinking) requires preparation in the methods of problem solving first and a good grounding in the development process afterwards. Without cutting out the guts of a literacy course, I estimate we have 3-4 weeks (9-12 class periods) to do all this. These students are going to go out and write programs which put people at risk -- dieticians, agriculturalists, etc. I am refusing to offer this course since I do not believe that I can cast out into the field a group of students whose grasp of the problems of programming are insufficient to protect themselves (and others) against errors. So someone else will teach it! NOW FOR MY QUESTION: How little can we get away with in preparing students to use the computer for problem solving and not put their eventual clients at risk? JAN ------------------------------ Date: Thu 3 Jul 86 21:07:12-EDT From: Richard A. Cowan Subject: Re: Working within the system To: risks@CSL.SRI.COM As Herb Lin pointed out, my statement about working within vs. working outside the system had problems. First of all, I unfortunately implied (but did not mean) that "people should give up on the whole thing "; in fact, I believe that it is almost always possible to work within the system to change it! I think most people can have a significant, visible effect! The problem is that many people define "working within the system" in a narrow, technical or traditional sense which may blunt or negate the impact they COULD have. Since the nature of our work and the prevailing modes of communication are set up in a compartmentalized fashion to reinforce "the system," one must sometimes circumvent those normal channels to produce change. People are deluded only if they think change will occur through "business as usual." Although "working outside the system" (and I did not mean violence, as Mr. Jong of Honeywell assumed) sometimes is necessary, organizing a peaceful, but active protest towards a goal may divide people over the goal, alienate those who disagree, produce an institutionally funded backlash, and discourage supporters if it is unsuccessful. Instead of demonstrating, individuals can try to change the CLIMATE in which group positions are formed FROM WITHIN THE SYSTEM, just by banding together in small groups to develop arguments that challenge the standard corporate line. STRATEGY: One possible strategy for changing the climate from within is to try to MAKE IT ACCEPTABLE for the head of your company/institution to publicly air your concerns. Although some business leaders may already have strong contrary views, and be impossible to convince, a surprising number may already agree with you -- but remain silent for they lack a support group to give them evidence and confidence. EXAMPLE: The president of MIT recently criticized federal research priorities -- 75% military funding of R&D -- in a public speech (Science June 13, 1986, p. 1333). Two things had to happen for him to do this: a) students gave him information documenting these trends and b) people within the upper eschelons of MIT began talking about the issue after it was raised by faculty and students. This may not seem very significant, but such criticisms are rarely voiced by the heads of US institutions highly dependent on military funding. This sends a signal to all kinds of observers, including policymakers, that the "establishment" is changing course. It also sends a signal to management/professors and workers/students (when the position is reported in the company paper, for example) that makes it easier for them to discuss the same issues. If 100 additional university and corporate executives were to each be persuaded by the actions of a few people in each institution to make statements on topics generally excluded from public debate, I believe a significant portion of the "consensus" for US domestic and foreign policy would erode. (i.e. imagine what would happen if several corporate executives felt free to voice opinions such as "a foreign policy which makes friends of thousands and enemies of millions does not seem to make good long-term sense" or "certain fields get more research funding than can be efficiently spent.") WHERE YOU CAN DO IT: Certainly professional societies and conferences provide a perfect medium for high tech people to raise such issues, thereby making it "acceptable" for others in the profession to have the same concerns. Even a lowly 23-year-old student like myself can have an enormous impact merely by clipping articles for professors or administrators whom I know are concerned but lack the time to get in touch with activist groups or track down references. Given a few good references, these people won't hesitate to incorporate such ideas into their conversations or speeches, or to express them to people higher in the chain of command. When leaders are concerned, the mainstream press will be more inclined to investigate the issue. When they do, the non-activist public follows. Since economics necessitates that most people must remain within the system, those people may as well try to make people within existing institutions more open to change. The political role of institutions (especially the leaders) in setting the tone for debate must be held accountable to someone -- why not the employees? Think globally, act locally. People must insist that the meaning of "service to one's institution" be redefined so that duties besides "maximizing its profit in the short term" are included. Otherwise solutions embodying these concerns (i.e. economic conversion) will always appear radical and be immediately dismissed before they reach the public eye. -rich ------------------------------ Date: Thu, 3 Jul 1986 10:39 EDT From: LIN@XX.LCS.MIT.EDU To: dhm@SEI.CMU.EDU Cc: risks@SRI-CSL.ARPA, arms-d@XX.LCS.MIT.EDU Subject: Re: [Airwaves &] Security -- SDI From: dhm at sei.cmu.edu The SDI should be evaluated on several, I believe, criteria. Please let me try to be brief and state several assumptions. () We have a defense need (implicit function of the government). () The perfect defense is one that is never tried. () The Soviet Union is our strongest enemy. These assumptions follow from another, and in my mind, more basic premise: we want to maintain our way of life free from external coercion. This more basic premise can lead to your set of assumptions, or to different sets of assumptions. For example, it could lead to the assumption that a reduction in tensions is a sensible thing to do, which is not mentioned in your set. Of course, I don't think you intended your list to be complete, so I am just adding to it. Given these, we can view the SDI in several ways: (condensed) () If the Soviets are against it, it must be good for us, i.e., it's a political diversion and keeps them from spending more time on sorry ventures like Afghanistan. Maybe true and maybe false. If you are my enemy, and you start drilling a hole in your side of the boat, I'm sure going to start complaining. I'd think you'd be well advised to listen to me under those circumstances. () It doesn't have to work -- it's successful if no enemy tests it. But what keeps them from testing it? The threat of retaliation. That's what we have now! That means you have to make an evaluation of why SDI is a better thing to do given all of the other options if you say SDI is the way to go. () If it causes our enemies to spend a lot of time and resources to match it, then the diversion of their resources from their people can de-stabilize the government through the rise of dissent and unrest. Maybe this is good, and maybe this isn't. A time-honored way of rallying the people behind you in time of internal crisis is to provoke a war. Do you really want to push the Soviets into that kind of corner? ...Is a program with a known and predictable error rate of one wrong answer in 10,000 executions useless? It depends on what you use the program for and how often you run it. For some things, a 1/10,000 chance of failure is quite acceptable. For others, it is quite intolerable. It depends on what depends on that wrong answer. Herb Lin ------------------------------ Date: 3 Jul 86 11:14:00 PST From: "143C::ESTELL" Subject: Complex issues, complex answers To: "risks" There is a risk - however small - that we, like the machines we use, can begin thinking in "ones and zeros" so that everything is either "true" or "false." I believe that much of the power of computers comes from the aggregation of those "on" and "off" states to represent complex variables, text files, program logic, etc. Further, it helps to recognize sometimes that a third value of even a "logical" variable is "not initialized." I greatly appreciate Harlan Mills' words that a good decision will come of the collective wisdom of our 535 Congressmen; they will of course be influ- enced by literally thousands of citizens(*), hopefully including many with expert technical qualifications. Moreover, I see the "official" policy at any moment as being only one "delta" of a long vector, subject to "mid course correction." [* Note: On the other hand, congress seems heavily influenced by one citizen in particular. PGN] Thus I assert MY OPINION that SDI should not equate to ICBM defense, even while acknowledging The President's original definition. Mr. Reagan also promised to balance the budget, in his 1980 campaign speeches. That goal has proved elusive - if not "illusive." The nation pursues updated versions of it. Similarly, President Kennedy chartered the "man on the moon" project; but that did not later deter the "grand tour of the planets" which is still going on. It follows that I agree that working "within" the system is NOT the only way; it just happens to be my way, since I am inside. I applaud efforts of others to work outside the system, but not against it destructively. As for "opportunity lost" costs, they are always hard to measure; but we must attempt that, because it's vital. What else can we do with the SDI billions? Find the cure to the common cold? explore Mars? cut crime in half? teach Johnny to read? reduce the deficit? ALL good options. But I think we can't expect those alternatives until after '89. In the interim if we can begin a DEFENSIVE system that can be shared with allies and others as well, maybe after '90 we can re-direct many more billions towards these other worthwhile causes. Finally, my "epsilon" in the SDI vector is to argue that the billions that DOD probably WILL spend in this decade be dedicated to concepts and objects that are feasible, and do have at least potentially useful side effects. If a major policy shift overtakes that viewpoint, I'll be very grateful. But meantime, I'd like my professional time, and my tax dollars, to go for something that I can be proud of - even after the Millennium. Bob [The last paragraph was a little vague and ambiguous, but if you read between the lines in this and Bob's previous messages, the intended meaning is presumably clear. However, let's all try to sharpen our thoughts and our prose on this issue in the future. And keep an eye on the computer relevancy. PGN] ------------------------------ Date: Wed, 2 Jul 86 08:51:56 PDT From: Snoopy Subject: Politics and Engineering Practice Reply-To: Snoopy Apparently-To: risks@sri-csl.arpa In RISKS-3.13, the sad fact that politics overrules sound engineering practices is pointed out once more. Later, our fearless moderator comments on e-mail bouncing. Well, guess what? Part of the e-mail bouncing problem is political! Here at Tektronix, the mail system was suddenly changed without notice, thus either bouncing or dropping mail for days or weeks until every machine changes software, and the "new improved" addresses can be distributed throughout the world. The old addresses do not work. (Real good design there, guys!) Advance notice would have helped substantially, but politics dictated otherwise. -sigh- Snoopy tektronix!doghouse.GWD.TEK!snoopy (address du jour) ------------------------------ Date: 1 Jul 1986 10:16-PDT From: Kenneth Sloan Subject: Multiple copies of RISKS-3.16 To: RISKS@csl.sri.com I received (at least) two copies of RISKS-3.16. Ken Sloan ++++++++++++++++++++++++++++++++++++++++ >From NEUMANN@SRI-CSL.arpa Tue Jul 1 01:09:38 1986 >Date: Mon 30 Jun 86 23:23:56-PDT >From: RISKS FORUM (Peter G. Neumann, Coordinator) >Subject: RISKS-3.16 ++++++++++++++++++++++++++++++++++++++++ >From NEUMANN@CSL.SRI.COM Tue Jul 1 03:05:47 1986 >Date: Mon 30 Jun 86 23:23:56-PDT >From: RISKS FORUM (Peter G. Neumann, Coordinator) >Subject: RISKS-3.16 ++++++++++++++++++++++++++++++++++++++++ [The clue of course is the different FROM Fields. SRI-CSL went down during the wee hours of the morning in order to be reborn under its new name of CSL.SRI.COM. The mailer did its usual trick when the system bombs in the middle of a mailing -- it retries certain addresses to which it had already sent successfully. Sorry. But PLEASE NOTE THE NEW HOST NAME for RISKS and RISKS-Request: @CSL.SRI.COM. Thanks. PGN] ------------------------------ Date: 2 Jul 1986 11:31-EDT From: Chuck.Weinstock@sei.cmu.edu [and From: Breisacher.OsbuSouth@Xerox.COM] To: risks@csl Subject: GTE Sprint billing problems Sprint just enclosed the following notice in its latest billing: We have recently discovered an error in our billing system related to the changeover to daylight savings time. The error may have caused some calls made in the period April 27, 1986 - May 1, 1986 to be billed incorrectly. The error has been corrected, and we are in the process of determining whether your bill was affected. If so, an appropriate adjustment, including applicable taxes and interest, will appear on a future bill... [...although this one does not appear to have been too costly... PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------