1-Mar-87 15:54:45-PST,10198;000000000000 Mail-From: NEUMANN created at 1-Mar-87 15:53:09 Date: Sun 1 Mar 87 15:53:09-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.53 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Sunday, 1 March 1987 Volume 4 : Issue 53 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Setuid Patent (Lindsay F. Marshall) On PGN's editorial comment on human misuse of computers (Eugene Miya) An aside on the B-1 (Eugene Miya) Autolander discussion (Nancy Leveson) Re: Air Traffic Control, Auto-Land (Dean Pentcheff) Electronic Steering (Ray Chen, Herb Lin) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- From: "Lindsay F. Marshall" Date: Fri, 27 Feb 87 13:52:19 gmt To: risks@csl.sri.com Subject: Setuid Patent Can we knock this one on the head once and for all? The patent for this did exist but was allowed to lapse by AT&T. The proper use of setuid is of course NOT nonsecure and does allow the easy implementation of certain facilities. Badly used, yes it can be nonsecure, but don't knock it because of that!! Lindsay [It is precisely BECAUSE it allows easy implementation that it is so frequently misused -- by people who don't know better. Use of "setuid" opens up the possibility of a variety of security flaws, including Trojan horses, search-path traps, etc., and tends to substantially widen the perimeter of trust. I'm not sure that anyone knows how to characterize "proper use" completely -- if it is indeed possible at all. PGN] ------------------------------ Date: Fri, 27 Feb 87 09:43:48 PST From: Eugene Miya To: risks@csl.sri.com Subject: On PGN's editorial comment on human misuse of computers I read this today and wonder if I would really regard this as a risk. We have Use, Abuse, and Misuse. I sometimes (emphasis) like to believe that the last two are not possible -- that a different word is needed. Yes, I acknowledge that the Mafia can use dBase II, or the people at kremvax use Lotus on separate PCs ;-). Remember: light behaves like a particle on MWF and a wave on TTS. This might be a useful technique. --eugene miya NASA Ames Research Center [We also include part of Eugene's respose to Brian Randell:] To: brian%cheviot.newcastle.ac.uk@cs.ucl.ac.uk Cc: risks@csl.sri.com Subject: Re: RISKS and human errors Date: 27 Feb 87 11:08:07 PST (Fri) From: eugene@ames-nas.arpa What a wonderful thing to see: > Today I telephoned Prof Reason, and had a very interesting chat with > him. We have arranged that he will come and give a talk ... It upholds some faith in the value of television. You might ask Dr. Reason [interesting name] about the role in the past of things such as ritual, mnemonics and (devices) [programmes] as this was the way things were done in the past before writing, and it also probably helped with the development of such arts as poetry. I think this is important (if you have not realized this) because of proposals for nuclear waste include monuments and the creation, literally, of a "priesthood" to deal with nuclear waste. Could similar such priesthoods develop for computers (some would say we have such now)? A follow-up report on Dr. Reason's seminar would be most interesting. I wish I could attend. Thank the net. --eugene miya, NASA Ames Research Center [The 19th Century English characturist Thomas Rowlandson had a favorite character named Dr Syntax -- who somehow still seems relevant today. By the way, I wanted to close the loop on Eugene's comment, "I think an apology is in order", and MY apology in RISKS-4.52. Eugene's subsequent reply suggests that maybe I overreacted to HIS comment -- HIS later response suggests (rather modestly) that the original comment might have been intended to imply that HIS apology was in order. But that was much too kind of him. (A still later comment from him could be interpreted still differently, so I'll just leave it the way it was in RISKS-4.52.) PGN] ------------------------------ Date: Fri, 27 Feb 87 10:44:29 PST From: Eugene Miya To: neumann@csl.sri.com Subject: An aside on the B-1 ReSent-To: RISKS@CSL.SRI.COM Sigh! This hits home. When I was in high school, I had a job with North American Rockwell designing parts for the B-1 after school. Three stiffeners are mine. It was always interesting to be sitting trying to figure out how to design something when some one would walk in with a requirement for a hole (right there). Why? Avionics. Nothing more would be said. You were not supposed to ask as an airframe person. Interesting to see that all this comes back to the avionics people. [This provides an interesting lesson to programmers who don't understand the environment in which a program is expected to run. In response to my query of Eugene on "stiffeners", he replied thusly:] Angle brackets used in homes are stiffeners. They fit into corners to make the structure more rigid. Interesting asides: there are two philosophies in building aircraft. (I was told this as a young engineer, and I passed it on the space group recently WRT multi-piece SRB design.) You make can make aircraft from a few large pieces, or from many small pieces. Boeing is a big pieces company and Rockwell (my ex while in HS) was a small-pieces company. Tradeoffs in both directions: like multics and unix, pl/1 and c. --eugene ------------------------------ Date: 27 Feb 87 15:20:45 PST (Fri) From: Nancy Leveson To: risks@csl.sri.com Subject: Autolander discussion I am a little confused about all the recent discussion in Risks about pilot problems with autolanders, etc. I read a paper written in the early 70's about how the autolander for the L1011 was verified. So there are already autolanders in operation and have been for a long time. Yes, they use analog computers rather than digital computers, which makes a difference in implementation techniques and perhaps reliability, but should make no difference from the pilot's point of view. Perhaps I am missing something here? Does a digital autoland system perform different functions than an analog one? ------------------------------ Date: Wed, 25 Feb 87 21:48:55 PST From: dean%violet.Berkeley.EDU@berkeley.edu (Dean Pentcheff) To: RISKS@csl.sri.com Subject: Re: Air Traffic Control, Auto-Land (RISKS DIGEST 4.51) I would be equally unhappy being a passenger in an autolanding plane as I would be living in a chronic state of "launch-on-warning" nuclear policy. In either case the machinery makes the ongoing critical decisions, and the people supervising it just *might* be able to notice a problem, acquaint themselves with recent system actions, and make the appropriate correction (if still possible). In indeterminate, complex situations such as strategic nuclear systems and plane landings, I am much happier if the (admittedly fallible) humans are making the ongoing decisions, with a possibility that machinery might notice a problem and warn them. The "supervisors" stand a much better chance of being able to react appropriately to an unexpected situation if they have the "feel" of the system by already having been in control of it. -Dean (dean@violet.berkeley.edu) -University of California, Berkeley Department of Zoology [The home of nonviolet resistance and inviolet principles! PGN] ------------------------------ Date: Thu, 26 Feb 87 23:06:09 EST From: Ray Chen To: RISKS@CSL.SRI.COM Subject: Electronic Steering Miliary aircraft not only get maintained more often than the average car, but they are also designed and manufactured to more exacting and demanding specifications than their civilian counterparts. Military hardware in general is designed to operate correctly in wider range of operating conditions and more thoroughly tested. Military software must also meet certain coding standards and go through formal verification testing before being approved. Now, none of this guarantees that all errors are caught (especially the software errors). You do, though, have some guarantees about whatever can be tested properly such as component quality, and RFI-shielding. Given the amount of testing and verification a MIL-spec steer-by-wire car would have to endure before being accepted, I might consider driving a steer-by-wire car with software that had been coded and tested under military specs and ran on MIL-spec, RFI-shielded hardware. Given the history of electronic ignition systems however, I wouldn't come near a steer-by-wire car that had been developed and manufactured to "GM-specs". Ray Chen ------------------------------ Date: Sat, 28 Feb 1987 12:54 EST From: LIN@XX.LCS.MIT.EDU To: "Hien B. Tang" Cc: risks@CSL.SRI.COM Subject: Electronic steering We pay fighter pilots to take large risks. Furthermore, combat jets are not generally regarded as the ultimate in safety, since they sacrifice a lot to get high performance. [OK, gang, that is probably enough on this topic for now. Thanks. PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------