15-Oct-86 21:12:47-PDT,14174;000000000000 Mail-From: NEUMANN created at 15-Oct-86 21:09:27 Date: Wed 15 Oct 86 21:09:27-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.80 DIGEST Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Wednesday, 15 October 1986 Volume 3 : Issue 80 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: US Navy reactors (Henry Spencer) Data Protection Act Risks (Lindsay F. Marshall) Is Bours(e)in on the Menu? (Martin Minow) Re: Software Wears Out (anonymous) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- From: decvax!utzoo!henry@ucbvax.Berkeley.EDU (Henry Spencer) Date: Tue, 14 Oct 86 17:56:36 edt To: ucbvax!CSL.SRI.COM!RISKS Subject: US Navy reactors > A co-worker of mine who has worked in both the Navy and civilian > nuclear programs tells me that Navy reactor systems are designed to keep > humans in the loop. The only thing the automated systems can do without > a person is 'scram' or shut down the reactor... Thus, the > system can't very easily spring surprises on the operators. A probable contributing factor here is that the US Navy's submarine people do not trust automation at all in crucial roles. For example, US subs have no autopilots, even though they spend most of their time at constant speed and depth. They are "flown" manually at all times. This is not so much a matter of keeping the operators alert and informed as it is a matter of complete distrust of complexity and automation in submarines. This is a significant constraint on submarine design, in fact. Modern subs generally have a fairly symmetrical set of vertical and horizontal fins at the tail. Looked at from behind, it's a cross shape. There would be advantages to using an X shape instead, just shifting the whole cluster 45 degrees: this would permit grounding the sub on the bottom without damage to the bottom fin, and would permit docking against a straight dock without worries about banging one of the horizontal fins against the dock. The US Navy does not think highly of the idea, because it would require a mixing box of some kind (which could be purely mechanical!) to turn the horizontal and vertical control inputs into rudder/elevator motion. That's how deep the distrust of complexity runs. I'm not surprised that they have manually- controlled reactors. The USN also has an outstanding reactor safety record -- no big accidents, no serious radiation releases -- with a stable of reactors comparable in numbers (although not in output) to the entire US nuclear-power industry. They are very fussy about materials, assembly, and operator training. Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry [Intriguing. I have frequently heard it said -- by Nancy Leveson and others -- that the nuclear power technology is so sensitive that they feel they cannot afford to use computers! PGN] ------------------------------ From: "Lindsay F. Marshall" Date: Wed, 15 Oct 86 14:36:27 gmt To: risks@csl.sri.com Subject: Data Protection Act Risks Police find a Catch 22 for data victim - From The Guardian The police are ready to challenge the new right to compensation guaranteed by the Data Protection Act to people injured through the passing of inaccurate information. Hertfordshire Police, which wrongly suggested to Tayside Regional Council that a woman it was considering appointing had a criminal record, has denied that the woman has any claim to compensation. Under the Data Protection Act, all agencies - including the police - which hold information electronically are liable to damage claims for any harm which inaccuracies create for people on their records. But Hertfordshire Police has produced a Catch 22 defence. In a letter to the woman's solicitor, the force suggests that the woman has no claim to compensation. The police now conceded that the woman does not have a criminal record but go on to argue that she is therefore not on their records. As she is not a "data subject" she cannot be eligible for compensation. Mr. Eric Howe, the Data Registrar, said yesterday that he would resist such an interpretation of the act. One problem for the woman, Mrs Anne Trotter, of Kirriemuir, Tayside, would be the cost of the court action. There is no legal aid in such cases. The Data Registrar can initiate criminal prosecutions but cannot sponsor civil actions. The case would cost over 1,000 pounds. The mistake happened earlier this year. Tayside Regional Council social work department, which was considering appointing Mrs. Trotter to a special fostering programme for delinquent teenagers, followed the recommended procedure of checking the criminal records of its applicants. The authority wrote to the police in Hertfordshire, where Mrs Trotter had lived for a period, and was informed that two separate sets of "convictions are recorded against Anne Trotter, who appears identical with the applicant." They involved thefts in Newcastle upon Tyne in 1942 and theft and false pretences in Newcastle in 1947. Anne Trotter's maiden name was Lawson until she married in 1954. In 1942 she was 15 years old and was still at school in Arbroath. The police were given her maiden name. Mrs Trotter was so upset by the incident that she decided to drop her application and take up a temporary teaching post. She asked the social services department for a copy of the police letter and, unusually, was given one. The right of access to such letters does not come into force until November next year. Later, after hearing about the Data Protection Act, she took it to a solicitor in Dundee. He wrote to the Hertfordshire Police on July 3 asking for compensation. The police replied on July 8, denying responsibility. The force said its letter had only said the Newcastle offender "appears identical with the applicant." The letter went on to claim: "The fact of the matter is that your client is not a data subject within the terms of the Data Protection Act as it is now clear ... that no records are held in respect of your client." Mr Kevin Veal, the solicitor, sent a second letter which said: "It seems to use that insufficient care was given to the issue. For example, it must have been obvious to anyone compiling the report that a young girl born in 1927 under the name of Lawson could not have been convicted under the name of Trotter in 1942. The case is made more complicated by the fact that the police supplied the information on April 21 but the compensation provisions of the act only came into force on May 11. There was no retraction, however, until July 8 and no attempt by the police in the letters to use the May 11 date as the reason for not providing compensation. ------------------------------ Date: 15-Oct-1986 1530 To: risks@csl.sri.com Subject: Is Bours(e)in on the Menu? From: minow%regent.DEC@decwrl.DEC.COM (Martin Minow, DECtalk Engineering ML3-1/U47 223-9922) BEAR MARKET MEANS BARGAIN FOR DINERS By Paul Lewis (reprinted without permission from the New York Times News Service) PARIS - The two hungry diners sat down, turned expectantly to a flickering computer screen on a nearby stand and began studying the latest quotations. The news seemed ominous. Making money would not be easy in today's luncheon market. The scene was La Connivence, a small new bistro-style restaurant at 6 Rue Feydeau, a stone's throw from the Paris Bourse, or stock exchange. As with stocks on the exchange, the laws of supply and demand determine the price diners at La Connivence pay for a meal. (The name, La Connivence, means complicity, with the slightly shady overtones appropriate for a gambling den of sorts.) As patrons place their orders in the austere ground-floor dining room, one of the owners, Jean-Claude Trastour, enters them into a computer which promptly adjusts the menu prices to reflect demand. Popular dishes, like popular stocks, go up in price while less popular ones decline. Timorous diners may choose to pay the quoted price for a dish at the moment they order it. That is called eating on the march comptant, or cash market. If the price rises while these diners are tucking in, they have done very well for themselves. If the price falls, they get indigestion. It is the safe way to eat - safe and dull. More adventurous folks play the futures market, the march a terme, agreeing to pay the price quoted when they call for the check at the end of their meal. Naturally, they hope the price will have fallen by that fateful moment. But hopes may be dashed by a flurry of buying, and the price may easily shoot up. Worse indigestion. The newly seated diners began preparing their gambling strategy by reading the trends. They saw that the prices of several dishes had already fallen by close to 6 francs--the limit for price changes up or down in any one eating-trading session. (A dollar is worth about 7 francs.) That left little room for further decline. There would be no point in ordering any of those dishes, no matter how delectable--unless, of course, the diner was more interested in eating than in successful speculation. The computer screen flashed chute du filet mignon, indicating that the price of that choice steak had already fallen 5 francs, to 50 francs a serving. A veal casserole with herbs had slipped 4 francs, to 48 francs. A rack of lamb chops for two, down 10 francs, was priced to sell for 110 francs a serving. As for the haddock, the computer reported a "sharp fall" of 5 francs a portion, to 57 francs. Other dishes were doing better. The screen showed that a "stampede" of orders for lotte had pushed the price of that pleasant Mediterranean fish up 4 francs to 62 francs a portion, making it an interesting speculation. If diners played the forward market, the price might be substantially lower when the time came to pay; of course, it could still rise another 2 francs before reaching the 6 francs ceiling. Occasionally, a diner's greed is outweighed by the thought of what he would have to eat to turn a profit. An example: "Victorious advance of the stuffed pigs' trotter," the computer flashed, marking it up 5 francs, to 43 francs. Surely it could only fall. But a lunch of pigs' feet? In the end, the diners chose a conservative strategy, ordering the special of the day, saddle of lamb, on the marche a terme. The lamb was trading at 39 francs a portion; up a modest 2 francs for the day thus far. The check arrived for the conservative diners: 228 francs for two, which is pretty good by Paris standards since it included a bottle of Beaujolais, a cheese-filled ravioli from the French Alps for a starter, homemade apple tart, and coffee. But the roast saddle of lamb stood at 38 francs, only a meager 1 franc cheaper than when it was ordered. Down the street, the Bourse was having one of its best days ever. [Inside tip: Sell-SHORT-Ribs, Buy-LONGustine. Bon appetit! Pierre] ------------------------------ Date: Mon, 13 Oct 86 08:15:06 [...] From: [...] (Anonymous) To: risks@CSL.SRI.COM Subject: Re: Software Wears Out [I have been rejecting almost all messages on this subject, in that (1) the topic was not converging, and (2) the discussion might better belong in SOFT-ENG@MIT-XX. But this somewhat historical note seems worth including -- along with this note explaining that I have been throttling other contributions. PGN] I have to remain anonymous because my management lives in fear that someone who works for them may post something dumb. Herewith, I justify their most morbid fears. The comments on software "wearing out" vs. becoming obsolete seem to me to be dancing around the issue. L.A. Belady and M.M. Lehman addressed this matter in a seminal paper: "Programming System Dynamics, or the Meta-dynamics of Systems in Maintenance and Growth" (IBM Research, RC 3546, Sept 17, 1971). The authors maintain that systems do have a "lifetime," and so in that sense, they may be supposed to wear out, although they do not use that term; nor do they say that software becomes obsolete. Instead, their measure is entropy. When the programming system's entropy is low, its ability to do "work" on its environment is high, and vice-versa. A system at release, or shortly thereafter, possesses low entropy. Maintenance and enhancement over time increase the entropy until the marginal cost of the next required set of fixes and/or enhancements approaches, say, the amounts expended on the system up to that point. Entropy is then high, and the system may be said to be "worn out." This is at best a poor precis of a very elegant paper; the gentle reader is referred to the original for a deeper insight into the reasons why software wears out. [Among all the complaints that software is static and -- in never changing -- should not be said to "wear out", we note that it is often NOT static, which is of course a large part of the problem. In the other hand one might say that the INTERFACE wears out rather than the software. But let us not quibble on this one any more. PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------