20-Jul-87 22:55:00-PDT,10670;000000000000 Return-Path: Received: from csl.csl.sri.com (CSL.SRI.COM) by F4.CSL.SRI.COM with TCP; Mon 20 Jul 87 22:47:43-PDT Received: from F4.CSL.SRI.COM by csl.csl.sri.com (3.2/4.16) id AA10644 for RISKS-LIST@f4.csl.sri.com; Mon, 20 Jul 87 22:49:40 PDT Message-Id: <8707210549.AA10644@csl.csl.sri.com> Date: Mon 20 Jul 87 22:46:39-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 5.13 Sender: NEUMANN@csl.sri.com To: RISKS-LIST@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday, 20 July 1987 Volume 5 : Issue 13 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Another computer-related prison escape (Alan J Rosenthal) Credit card risks (David 'Witt' Wittenberg) The latest in Do-It-Yourself manuals (Andrew Scott Beals) Re: Robocop review (Eugene Miya) Robocop and following instructions (Brian Gordon) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. FTP back issues Vol i Issue j from F4.CSL.SRI.COM:RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- Date: Sat, 18 Jul 87 10:58:07 EDT From: Alan J Rosenthal To: csl.sri!RISKS%ai.toronto.edu@RELAY.CS.NET Subject: Re: Another computer-related prison escape Andrew Klossner: > The alarm did go off, but little attention was paid to it because it > goes off every day, ... Something I've always felt strongly about in regard to this is fire alarms. There are many buildings in which fire alarms are ignored as a matter of course. I believe that in such a case having the fire alarms is worse than not having them, for two reasons. One is if you are trying to tell someone that there is a fire. You will pull the fire alarm and leave the building. No one will listen. The other is if you are trying to observe whether or not there is a fire. Someone tells you that there is, but you tend to doubt them because their information is probably from the fire alarm. At least, this could cause a delay of minutes which can be crucial in a large building in a fire. In an apartment building I lived in recently, one night at about 4am the fire alarm went off. I blearily woke up, pulled on some clothes, and left the building. Standing outside, I saw only two other people that felt as I did. Everyone else was still inside. (I had only been living there for two months at this time.) Alan J Rosenthal [If any of you wonder, "What has this to do with computers and related systems?", the answer by now should be obvious... Alarms were ignored, bypassed, misinterpreted, or otherwise mishandled in many cases such as the Stark, Three Mile Island, Chernobyl, Therac 25... PGN] ------------------------------ Date: 17-Jul-1987 1134 From: wittenberg%ultra.DEC@decwrl.dec.com (David 'Witt' Wittenberg) To: risks@csl.sri.com Subject: Credit card risks AT&T phone credit cards use a credit card number that consists (in most cases) of your phone number followed by four (presumably somewhat random) digits. If the last four digits are random, the probability of guessing a number (assuming you know that a particular phone number has a card associated with it) is .01%, which seems relatively safe. The problem was that if your number was on a centrex where the main number ended in 000 all the users of that centrex had numbers that consisted of the main number followed by 4 digits (a different four digit code for each user to provide accountability), so if the centrex had 500 users with credit card numbers, a random 4 digit number appended to the centrex number had a 5% chance of working. This made the expectation value of the number of tries before finding a valid number 10! This has been corrected, so that now the card number is an individual number followed by the 4 random digits. --David Wittenberg ------------------------------ Date: Sun 19 Jul 87 16:54:46-PDT From: Andrew Scott Beals (well!bandy@lll-lcc.ARPA) Subject: The latest in Do-It-Yourself manuals To: RISKS@csl.sri.com Three ads from the August issue of Computer Shopper: CABLE and SUBSCRIPTION TV secret manual. Build your own DESCRAMBLERS, converters. Instructions, schematics for: Sine Wave, Inband/Outband Gated Sync Pulse, SSAVI methods (for HBO, Showtime, Cinemax, UHF, etc.) Send $8.95 + $1 postage to CABLETRONICS Box 30502CS, Bethesda MD 20814. COMPUTER UNDERGROUND. Hacking, Crashing, Pirating, and Phreaking. Who's doing it, why they're doing it, and how they're doing it. Sample programs, phone numbers, and the tools of the trade. Send $14.95 + $1 postage to CABLETRONICS Box 30502CS, Bethesda MD 20814. HACKER'S HANDBOOK. Tells how to access remote computers, figure out passwords, access codes, operating systems, modem protocols. Plug into the electronic subculture; open up a world of new information. Send $12.95 + $1 postage to CABLETRONICS, Box 30502CS, Bethesda MD 20814. [This item is included here to illustrate an important point: Knowledge on how to subvert system security is VERY WIDESPREAD. Sticking one's head in the sand and assuming that everything is OK is a certain way to court disaster. IMPORTANT SIDEBAR: RISKS does not endorse unsavory behavior by crackers; however, RISKS also does not endorse ostrich behavior by system purveyors. PGN] ------------------------------ Date: Fri, 17 Jul 87 10:40:16 PDT From: Eugene Miya To: baldwin@cs.rochester.edu Subject: Re: Robocop review Cc: risks@csl.sri.com Yes, I saw that segment as well. I think the scene derived its effect from the "blame the computer" syndrome we have developed over the last couple of decades. The effect is supposed to be based on 1) "we" have this new security device, 2) to test it, would you hold this gun? [For those not seeing the scene, this biped robot security device can identify guns held at it.] Stop. Typical person (Everyman, who was the actor of this scene, there is a name of this type of person in the Star Trek parlance) would say "No way." This is what you have test pilots and drivers for. Machines have made us think about them in less than positive ways. It's perfectly safe. Now, for the viewer (you the reader of RISKS), do you think you would point a gun at an armed security device? Now, do ya'? Do ya' feel luck.. punk? We (computer people) would think this device would be tested to this point. I'm certain the programmer characters in the film would have thought so too, otherwise, why would the RISKS group exist? The problem with computer systems is that we think we should try to put common sense into them. I think this is wrong. Humans take common sense for granted. It is a form of prejudice. Common sense is not logic. The other extreme is "blind logic", which is portrayed as poor programming (actually inconsiderate "exception handling"). Our problem is that we have conflicting goals; the best written description was given by Nancy Leveson in her Computing Survey article on Safety. One purpose of science is to challenge the assumption of common sense as part of education/learning. Remember that just over a century ago, it was `common sense' that certain members of the human population were inferior on the basis of race. Quantum mechanics arose in a different domain to change other `common sense' ideas. In the end, it is all your point of view. I do plan to see this film (as bad as it might be). S&E both gave thumbs up, but I don't trust them. --eugene miya, NASA Ames [1. `` `Common sense' is not very common.'' 2. I have seen one scathing review and one rave (qualified with "excessive violence"). The previews go right to the ``would you trust this robot?'' scene... PGN] ------------------------------ Date: Sun, 19 Jul 87 08:26:23 PDT From: Brian Gordon To: RISKS@csl.sri.com Subject: Robocop and following instructions (RISKS-5.12) >From: baldwin@cs.rochester.edu >"I think there's something basically funny about a machine ... > blindly following instructions in the face of logic" One of the scariest things I learned while teaching "Computer Appreciation" (actually titled "Computers in Society") to non-technical types in the 70's was how little college students knew about the "nature" of computers. On every final there was a question of the general type, "What are the implications of a machine that only does EXACTLY as it is told". The majority of the answers were always about how bad it WOULD be if there WERE such devices -- and remember, this was after they were told the question was coming! It almost makes you want to take up plumbing. FROM: Brian G. Gordon, CAE Systems Division of Tektronix, Inc. UUCP: tektronix!cae780!gordon [or gordon@cae780.CAE.TEK.COM] ------------------------------ Date: Mon, 20 Jul 87 11:35:48 EDT From: baldwin@cs.rochester.edu To: baldwin@cs.rochester.edu, eugene@ames-nas.arpa Subject: Re: Robocop review Cc: risks@csl.sri.com Right-on-target discussion (by Eugene Miya) of safety and risks in this hypothetical situation, and the contrasts between what people intuitively expect from "intelligent" machines and what they actually get. (The term "intelligent machine" is a lasting disservice done to our discipline by the press of the 1940's and '50's.) The point I want to make is that there seems to be a large segment of society out there that doesn't think this is a risk at all - it's just funny. That's the same society that somehow has to make collective decisions about computer systems in nuclear power plants, weapons, planes, and all the other things we've been discussing for who-knows-how-long here. ------------------------------ End of RISKS-FORUM Digest ************************ -------