20-Sep-86 09:00:05-PDT,15789;000000000000 Mail-From: NEUMANN created at 20-Sep-86 08:58:08 Date: Sat 20 Sep 86 08:58:08-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.59 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Saturday, 20 September 1986 Volume 3 : Issue 59 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computers and Wall Street (Robert Stroud) Report from the Computerized Voting Symposium (Kurt Hyde) Computers, TMI, Chernobyl, and professional licensing (Martin Harriman) Failsafe software (Martin Ewing) Software vs. Mechanical Interlocks (Andy Freeman) How Not to Protect Communications (Geoff Goodfellow) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- From: Robert Stroud Date: Thu, 18 Sep 86 14:07:59 gmt To: risks@csl.sri.com Subject: Computers and Wall Street I came across an article in Computing which gives more details about the way in which computer systems are influencing the stock market. It suggests that dealers are forced to rely on the "intuition" of their system, even against their better judgement, for fear of being caught out. Personally I find this trend very alarming, but perhaps the fluctuations on the stock market are just "noise" with no lasting influence on the real economy. Unfortunately, the "noise" can be heard around the world. Robert Stroud, Computing Laboratory, University of Newcastle upon Tyne. ARPA robert%cheviot.newcastle@cs.ucl.ac.uk (or ucl-cs.ARPA) UUCP ...!ukc!cheviot!robert ---------------------------------------------------------------------------- Reproduced without permission from Sep 18th Computing, (c) Computing. "Technology led Wall Street to drop prices" by Alex Garrett The crash in prices which wiped a record amount off the value of shares on Wall Street last week was largely the result of computerised dealing systems failing to read the market. Computer generated selling of shares was estimated to account for almost 50% of the transactions that caused a record volume of 240 million shares to change hands last Friday. But it is believed that the effect of the computers was to exaggerate the underlying movement in the market, so that many shares were sold unnecessarily. The problem has arisen as a number of factors conspired to make the US stock markets subject to increasing fluctuations, which in turn has caused stockbrokers to rely far more heavily upon the split-second advice of their computer systems. In particular, many systems are triggered by a drop in share price to instruct a dealer to sell, and he will often do so, even against his better nature, for fear of being caught out. .... this kind of feature has yet to be adopted in the UK. Ian Reid ... said that although shares will often recover their price within a short time, some of the computer systems in the US do not have the intuition to see this. ------------------------------ Date: Friday, 19 Sep 1986 11:37:13-PDT From: hyde%abacus.DEC@decwrl.DEC.COM (Jekyll's Revenge 264-7759 MKO1-2/E02) To: risks@sri-csl.ARPA, self%abacus.DEC@decwrl.DEC.COM Subject: Report from the Computerized Voting Symposium Belated Report from the Symposium on Security and Reliability of Computers in the Electoral Process -- August 14th & 15th, 1986 The participants came from many backgrounds, computer people, writers, attorneys, and even one Secretary of State. Some of the highlights emphasized by one or more speakers were: o Lever voting machines are still the fastest way to count votes. The computerized vote counting machines are slower than lever machines, but faster than paper ballots. o Lever voting machines still appear to be the safest way to count votes. o The State of Illinois tested its computerized voting equipment and found numerous instances of errors in vote counting, primarily in undervotes, overvotes, and straight party crossovers. NOTE: An undervote is voting for fewer candidates than the maximum allowed for an office. An overvote is voting for more candidates than allowed for an office. A straight party crossover is casting a vote to be applied to all members of a party and then switching one or more votes to candidates from another party. o A group of Computer Science students at Notre Dame (South Bend, IN) tested a punch card voting system with a group of test ballots. By altering only the control cards they were able to manage the vote totals to predictable incorrect totals. Some of the recommendations made by one or more speakers were: o Five percent of all votes cast should be recounted by different method than the original count. o Security standards for computerized voting are needed immediately. The expanding use of computerized vote counting equipment may preclude an effective implementation of such a standard. o Punch card ballots should be redesigned to make the punch card into a ballot that is readable by the voter as well as by the computer. o Internal procedures of computerized voting equipment must be open to the public in order to let the public be in control and to assure public confidence in the electoral process. o Computerized voting equipment must have the capability of allowing the voter to monitor the ballots cast by the computer to be sure it has voted as instructed. o There should be public domain vote counting software in order that companies not have to keep their programs for proprietary ownership reasons. NOTE: Does anyone know of a Computer Science student looking for a project? I'm willing to share my notes. Is there anyone with the resources to build prototypes that have security features, such as voter-readable punch cards or a computer-generated, recountable ballot? Bill Gardner, New Hampshire's Secretary of State, informed us that New York City is planning to purchase new voting equipment. This is likely to become a de facto standard for New York State and, possibly, for whole the nation. Risks Forum people who'd like to contact the New York City Task Force should contact: David Moscovitz New York City Elections Project 2 Lafayette Street, 6th Floor New York, NY 10007 (212) 566-2952 The results of my informal poll on trusting a computerized voting system: Trust Not Trust Undecided (1) Internal Procedures secret 2/40 38/40 0 Results not monitored by voter (2) Internal Procedures Revealed 6/40 34/40 0 Results not monitored by voter (3) Internal Procedures secret 10/40 28/40 2/40 Results can be monitored by voter (4) Internal Procedures Revealed 24/40 11/40 5/40 Results can be monitored by voter ------------------------------ Date: Wed, 17 Sep 86 09:42 PDT From: Martin Harriman To: risks@CSL.SRI.COM Subject: Computers, TMI, Chernobyl, and professional licensing The NRC does require testing and certification of the software used in the design of nuclear power plants: this includes the software used for seismic simulations, fueling studies, and simulations of coolant behavior (which can get quite complex in BWR designs). The reactors themselves are designed to be stable, so they do not require a complex control system for safe operation (unlike military aircraft with negative aerodynamic stability). Incidentally, the feedback mechanisms used to produce stability in US reactor designs are missing from graphite moderated, water damped designs like Chernobyl; this lack of stability contributed to the initial explosion at Chernobyl. Professional licensing is state-regulated; I'm not aware of any states with a professional engineer exam for software engineers. I don't believe that professional licensing is all that useful; I'm more interested in quality assurance for safety-related software (and hardware) than in ensuring that some fraction of the people developing the software passed an examination. It would be fairly amusing if PE registration became popular with software engineers, since it would mean they would all need to learn a fair chunk of civil engineering (the Engineer In Training exam requires it). --Martin Harriman ------------------------------ Date: Thu, 18 Sep 86 09:57:27 PDT From: mse%Phobos.Caltech.Edu@DEImos.Caltech.Edu (Martin Ewing) Subject: Failsafe software To: arms-d%Phobos.Caltech.Edu@DEImos.Caltech.Edu, risks%Phobos.Caltech.Edu@DEImos.Caltech.Edu How can we even dream of SDI or fly-by-wire aircraft when I just received 12 nearly identical copies of the last ARMS-D mailing, at 33 KB a crack? Seriously, this is an example of failsafe: if some transmission error occurs before a message transmission is complete, send it again, and again, and again... And no one is even shooting at the net, as far as I know. Martin Ewing ------------------------------ Date: Thu 18 Sep 86 10:16:01-PDT From: Andy Freeman Subject: Software vs. Mechanical Interlocks To: risks@CSL.SRI.COM One current advantage of mechanical interlocks is that they can (usually) be bypassed or modified in the field. If I went on a special toss-bombing mission, I'd be much happier hearing "the mechanical upside-down bomb-release interlock has been removed" than "we just patched out that section of the code and burned a new prom". -andy ------------------------------ Date: 20 Sep 1986 06:52-PDT Subject: How Not to Protect Communications From: the tty of Geoffrey S. Goodfellow To: risks@CSL.SRI.COM Cc: security@RED.RUTGERS.EDU [The New York Times, September 13, 1986] BALTIMORE - The Senate should avoid repeating the mistake made by the House when it unanimously passed the Electronic Communications Privacy Act. Purportedly a benign updating of the 1968 Federal wiretap law designed to guarantee privacy in the electronic age, the bill actually promotes the cellular telephone industry at the expense of the public good. True enough, obsolete language in the existing wiretap law fails to address digital, video, and other new forms of communications. The proposed law would fix that. But it would also declare certain communications legally private regardless of the electronic medium employed to transport them. The mere act of receiving radio signals, except for certain enumerated services like commercial broadcasts, would become a federal crime. To disregard the medium is to ignore the essence of the privacy issue. Some media, such as wire, are inherently private. That is, they are hard to get at except by physical intrusion into a residence or up a telephone pole. Others media, notably radio signals, are inherently accessible to the public. Commercial radio and television broadcasts, cellular car telephone transmissions and other "two-way" radio communications enter our homes and pass through our bodies. Cellular phone calls, in fact, can be received by most TV sets in America on UHF channels 80 through 83. If radio is public by the laws of physics, how can a law of Congress say that cellular communications and other forms of radio are private? The unhappy answer is that the proposed law appears to be a product of technological ignorance or wishful thinking. A similar edict applied to print media would declare newspapers, or portions of them, to be as private as first class mail. The result is plainly absurd and contrary to decades of reasonable legislative and judicial precedent. In contrast, present Federal statute prescribes a sensible policy for oral communications, protecting only those "uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation." To illustrate, a quiet chat in one's parlor would likely be protected. Substitute for the parlor a crowded restaurant or the stage of a packed auditorium, the expectation of privacy is no longer justified. The law would not grant it. Congress should apply this same logic to electronic communications. The broadcasting of an unencrypted radio telephone call, or anything else, is an inherently public act, whether so intended or not. Thus it violates the "justifiable expectation" doctrine, and warrants no Federal privacy protection. Protection or no, people will not be stopped from receiving radio signals. Even Representative Robert W. Kastenmeier, Democrat of Wisconsin, who championed the bill in the House, confesses that its radio provisions are essentially unenforceable. They will have no deterrent effect, and they will not increase the privacy of cellular phone calls or other broadcasts. Worse, the act would lull the public into a false presumption of privacy. On further examination, it appears that the legislation is really more a sham than an honest, if puerile, attempt by Congress to deal with new technology. Its sponsors say they aim to protect all electronic communications equally. Yet the bill sets out at least four categories of phone calls, with varying penalties for interception. Cellular radio calls are guarded by threat of prison, but there is no interdiction whatsoever against eavesdropping on "cordless" telephones of the sort carried around the apartment backyard. So Congress is about to give the cellular telephone industry ammunition for advertising and bamboozling, promising privacy that does not actually exist. Cellular service companies thereby hope to avoid losing revenue from customers who might use the service less if they understood its vulnerability. If Congress were serious about privacy in the communications age, it would scrap the Electronic Communications Privacy Act and begin anew. Legislators and the public must first grasp the true properties of new technologies. Are those properties inadequate or unsavory? If so, relief will only come from research and more technology not wishful legislation. ------------ Robert Jesse is a technology consultant. [known to us all as rnj@brl] ------------------------------ End of RISKS-FORUM Digest ************************ -------