18-Nov-86 21:49:36-PST,12831;000000000000 Mail-From: NEUMANN created at 18-Nov-86 21:48:03 Date: Tue 18 Nov 86 21:48:03-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.13 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Tuesday, 18 November 1986 Volume 4 : Issue 13 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Framing of life-and-death situations (Jim Horning) On placing the blame (Peter J. Denning) Computer picks wife (Matthew Kruk) Re: Micros in cars (Brint Cooper) Re: They almost got me! (Will Martin) Re: A variation of the Stanford breakin method (Joe Pistritto) Microfiched income-tax records stolen (John Coughlin) Re: Copyrights (Andrew Klossner) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Tue, 18 Nov 86 17:31:40 pst From: horning@src.DEC.COM (Jim Horning) To: RISKS@CSL.SRI.COM Subject: Framing of life-and-death situations In the "1986 Accent on Research Magazine" published by Carnegie Mellon University there is an article on "The Science of Decision Making" by Robyn Dawes. The whole article is interesting, but I was particularly struck by a passage that succinctly states an issue we have often skated around in Risks: ... Such a contradiction violates any model of human decision making based on a premise of rational choice. Such framing effects also lead decision makers faced with life and death situations to act conservatively when the alternatives are framed in terms of lives saved (because the first life saved is the most important), but take risks when the same alternatives are framed in terms of lives lost (because the first life lost is the most important--thereby leading to a desire to avoid losing any lives at all). The result can be a contradictory choice for identical life and death problems, depending upon how they are framed. ... have demonstrated not only that framing affects decision, but that people systematically violate the rules of probability theory by adopting--either explicitly or implicitly--certain heuristics to evaluate the likelihood of future outcomes. ... Jim H. ------------------------------ Date: Tue, 18 Nov 86 14:34:50 pst From: Peter J. Denning To: neumann@sri-csl Subject: On placing the blame ReSent-To: RISKS@CSL.SRI.COM In recent issues of RISKS there were two items that on the surface did not appear to be in the stated purview of RISKS: A. Two jetliners in near-miss. Controller unable to warn the pilots because there was an open microphone jamming the frequency. B. Young girl suffocates from carbon monoxide fumes generated by home grille after power company turned off power for non- payment of bills but delayed resumption due to operator error. I asked Peter Neumann about this. With respect to (A), he said, radar is a vital component of the system: it is called INPUT. Vulnerabilities of radars affect the ability of the computer to do its job. With respect to (B), he said, a computer operator put in incorrect data, which contributed to the problem. In both cases, there is a total system containing an embedded computer system. In (A), for example, the total system includes the jetliners, the pilots, the radars, the radios, the computers, and the controllers. In (B), the total system includes the customers (especially the unfortunate family), power distribution, review of requests for welfare status, and the computer accounting system. In both cases, there is a temptation to ascribe safety failures in the total system to one of its components, the embedded computer, and by implication to make the designers of that software responsible. In (A), the computer could not possibly have compensated for jammed radio frequencies. In (B), there is a possibility that, had the computer operator entered correct data, power would have been restored a few days sooner, in time to forestall the death of someone in that household; however, the child's parent, not the computer designers or operator, chose to heat the cold house with a lethal fuel and to defer application for welfare status until after the power was turned off. In both cases, a variety of factors combined to create the unfortunate circumstance. The embedded computer systems could not have been programmed to prevent the mishap. And yet the news reports contain suggestions that computers, or their operators, are somehow at fault. Have some journalists become unduly accustomed to fingering the computer for every mishap? Have some computer people become unduly eager to accept the blame when there is a mishap in a system that contains a computer? Peter Denning ------------------------------ Date: Mon, 17 Nov 86 08:00:52 PST From: Matthew_Kruk%UBC.MAILNET@MIT-MULTICS.ARPA To: RISKS@CSL.SRI.COM Subject: Computer picks wife (Associated Press) November 15th IZMIR, Turkey - A man who divorced his wife after a bitter six-year court battle and turned to a computer service to find himself the "ideal" mate was surprised when - from 2,000 prospective brides - the machine selected his former wife. "I did not know that my ex-wife had been the ideal counterpart for a marriage," Suleyman Guresci was quoted as saying by the Anatolia News Agency before re-marrying Nesrin Caglasa. "I decided to try being more tolerant toward her," He said. The couple, whose first marriage lasted 21 years, were divorced nine months ago due to "severe disharmony" after living apart for six years, Anatolia reported. ------------------------------ Date: Mon, 17 Nov 86 15:42:40 EST From: Brint Cooper To: convex!paulk@a.cs.uiuc.edu cc: RISKS@csl.sri.com Subject: Re: Micros in cars There's another risk of re-programming your engine control ROMs. It's a federal offense to remove or alter the operation of emission control equipment. Since fuel mixture and ignition affect emission levels, they are considered emission control. ------------------------------ Date: Tue, 18 Nov 86 9:50:24 CST From: Will Martin -- AMXAL-RI To: "Maj. Doug Hardie" cc: risks@SRI-CSL.ARPA Subject: Re: They almost got me! Your note on RISKS impressed me tremendously. What you described has so many odds against it that the fact that it happened just HAS to be significant. Just what that significance is, I am not sure, but it must be important! The odds against the occurrence of the unlikely combination of grades and data that would get through the filtering code are themselves high, but, as you said, at least two people's records produced this -- the number of possible students and their grade combinations could easily explain this, so that, in itself, isn't significant. But the fact that you, yourself one of these very few that fit this unusual mix of historical data and participated in this special course, were then asked to rewrite the computer program that contained this flaw is an incredible coincidence in itself. However, the fact that this was a special honors humanities course, the graduates of which would NOT be likely to be computer or programmer types, takes the odds out of the merely "incredible" category and puts them into some utterly indescribable astronomical range. Thanks for sharing this with us. Regards, Will Martin ------------------------------ From: Joe Pistritto (JHU|mike) <@RELAY.CS.NET,@CSNET-RELAY.CSNET:jcp@BRL.ARPA> To: Arno Diehl <@RELAY.CS.NET,@CSNET-RELAY.CSNET,@GERMANY.CSNET:DIEHL@v750.ira> cc: risks <@RELAY.CS.NET,@CSNET-RELAY.CSNET,@GERMANY.CSNET:risks@CSL.SRI.COM>, [+ SECURITY@RUTGERS] Subject: Re: A variation of the Stanford breakin method What you have here is the standard 'spoofing' problem. I think the only way to control this problem (for a system attached to the Internet) is to route all the traffic thru a gateway (over which you have physical access control) that will DROP immediately any packets originating from the Internet world with SOURCE addresses that are anywhere on your local nets. (You could put insecure nets on the other side of a similar gateway inhouse, to protect the 'trusted' networks.) Prevents anyone from spoofing along as one of your hosts. (This might cause some loopback features of TCP to stop working in some implementations, however) And yes, it means that the 'trusted' hosts have to be on 'trusted' networks that are physically distinct (and of course physically secure). Begins to sound like DoD already, doesn't it... -jcp- PS: Security is a pain the ass... [So may be the absence of security! PGN] ------------------------------ Date: 17 Nov 86 23:41:00 EST From: John Coughlin To: Subject: Microfiched income-tax records stolen It was announced in the Canadian House of Commons today that microfiche containing personal income tax records for 16 million Canadian taxpayers was stolen from a Toronto office of Revenue Canada on November 4. The microfiche was returned November 17 after being retrieved by the RCMP. It is not known whether the material was duplicated by the thief, who has not been identified. CTV news said that several hundred people had access to the microfiche in the Toronto office. Duplicate copies are kept in several district offices as well. This incident adds a new dimension to the recently discussed RISKS of easily portable information media, such as hospital medical records on computer diskettes. /jc [This item is at first blush of marginal relevance to RISKS strictly from the computer point of view -- unless the microfiche was computer generated (it was probably just a record of actual returns). Nevertheless, I include it as symptomatic of the deeper problems. PGN] ------------------------------ Date: Mon, 17 Nov 86 10:23:58 PST From: Andrew Klossner To: ucbvax!CSL.SRI.COM!RISKS Subject: Re: Copyrights (RISKS DIGEST 4.8) [Andrew wished to clarify the issue of whether there is a risk in using "(c)" or a half-circled "c". Although his response does not seem strictly RISKS related, I think it may clarify a thorny issue for some of you who are willing to contribute to RISKS but want to protect your rights. I have abridged it somewhat. PGN] It is the considered opinion of the chief legal counsel at Tektronix that the genuine circled-c can be replaced only by the string "Copyright (c)". Both the word "Copyright" and the pseudo-glyph "(c)" are required... The three basic elements needed to obtain copyright protection in the United States and the member countries of the Universal Copyright Convention (most countries of any significance) are the copyright symbol (circle-c or string "Copyright (c)"), the name of the copyright owner, and the year date of first public distribution. The law requires that the notice "be affixed to the copies in such manner and location as to give reasonable notice of the claim of copyright." The phrase "All rights reserved" extends protection to member countries of the Buenos Aires Convention who are not also members of the Universal Copyright Convention (a few Latin American countries). Whenever the program or document is revised significantly, the year date of the revision must be added to the notice, as in: Copyright (c) 19XX, 19YY. When licensing software to the (US) federal government under the the Defense Federal Acquisition Regulation Supplement (DFARS), a completely different set of legends is required. -=- Andrew Klossner (decvax!tektronix!tekecs!andrew) [UUCP] (tekecs!andrew.tektronix@csnet-relay) [ARPA] ------------------------------ End of RISKS-FORUM Digest ************************ -------