RISKS-LIST: RISKS-FORUM Digest   Thursday 19 May 1988   Volume 6 : Issue 88

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
  Soviet Space Shuttle software problem (Tim Shimeall via Nancy Leveson)
  Re: Navigation (Charles Brunow)
  Re: moral obligations with security exposures (Rob van Hoboken)
  Voter registration records and risks to democracy (Philip E. Agre)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome. 
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
  For Vol i issue j, ftp kl.sri.com, get stripe:<risks>risks-i.j ... .
  Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85).

----------------------------------------------------------------------

Date: Wed, 18 May 88 15:47:03 -0700
From: Tim Shimeall <tim%safety.ics.uci.edu@ICS.UCI.EDU>
Subject: Soviet Space Shuttle software problem
(Remailed by Nancy Leveson)

From the Internet SPACE Digest, Volume 8, #224, dated 5/18

In a discussion of the Soviet Space shuttle, Glenn Chapman of the MIT Lincoln
Lab made the following comment:

"    Also for what it is worth it appears now that the first Russian
shuttle flight will be manned with two cosmonauts Igor Volk (Soyuz T12,
July 17, 1984) and Anatoly Levchenko (Soyuz TM-4, Dec. 21, 1987).
Pravda actually had a sketch of their shuttle about a week ago.  They
are still talking about a June flight.  It has been known for some time
that the cosmonaut corps were pushing for a manned first shuttle
mission, and had trained for similar missions.  One could speculate that
the final factors pushing for this was two things.  First it has been      <--
confirmed that the failure in the upper stage of Energiya was due to a     <--
software error which reversed the direction vectors of the stage during    <--
firing, not a failure of the engines or other guidance systems.            <--
Secondly the shuttle autolanding system development has been having some
trouble.  So when your robots fail you substitute humans for tasks
humans have shown abilities to do. "

Interesting, No?
			Tim

------------------------------

Date: 19 May 88 03:24:41 UTC (Thu)
From: ames!loci!clb@spam.istc.sri.com (Charles Brunow)
Subject: Re: Navigation

The recent posting about "Navigation" by Robert Dorsett exposed a related
RISK. Since it was a tangential topic to his subject, I'd like to pick it
up and describe it in more detail.

My subject is celestial navigation, who knows how to do it, and why should
anyone care. It has been an important skill for thousands of years and
it is directly responsible for the geo-political map of todays world. It has
also proven to be the most useful method on the longest voyage ever made.

The method which I will describe is called "St. Hilaire's" by some, the
"Sumner line" or position line by others. A more complete description
can be found in the "Bowditch" navigation text, which should be in most
libraries. To my knowledge, 1975 was the last year of publication.

The RISK involved with celestial navigation (referred to as "Astral" in
the referenced posting) is that it seems to be a lost art. The list of
navigational aids described by Mr. Dorsett was indeed impressive but
two limitations came to mind as I read it: one, all these methods are
reliant on electricity and two, they aren't available for small private
aircraft, boats, and ground transport.

Why should anyone be concerned by relying on electricity? Clearly the
answer is that it can fail, and if it fails what can you do? Suppose
that you are a frequent flyer, you've accumulated enough miles to take
your family on a trip to Hawaii, and off you go. Further, suppose that
as you cruise over the Pacific, there is a total electrical system
failure. Can it happen? You know it can. What could be done? If the
crew is totally reliant on the instrumentation, you may go swimming.

More important is the point that the high-tech methods are eclipsing
traditional methods to the point that the skill is being lost. I have
posed this question to many people: "how do you know where you are and
how do you know what time it is?" The response has been consistent: a
momentary puzzled look as they search for an answer, and then anger for
the foolish feeling they have. When I first asked myself these questions,
I resolved to find the answers. What I found was a facinating history
of exploring the seas and the land masses, and a story of truly
creative thinking.

The method of celestial navigation is similar to the satellite methods:
starting with an approximate observer position based on "dead reckoning",
successive approximations based on observations improve the estimate.
More specifically, the DR position (and time) are used to compute the
"expected" altitude of a celestial object and this value is compared
to the observed altitude. The difference angle is called the intercept
and represents the amount of correction to apply. The direction of the
correction is along a line between the observer and the object (the
azimuth angle), toward it if observed angle is greater, away if the
computed angle is greater. A second observation, at right angles to the
first is required to really fix the location. Note that, in general,
both longitude and latitude are affected, and the method finds both.
Additional sighting can improve the approximation further, for an
ultimate accuracy of a few hundred meters.

The "trick" in celestial navigation is computing the expected position,
compensating for the motions of the Earth and other effects. The fact
that these methods pre-date computers proves that it can be done.
Military teams like the "Green Berets" included a member trained in
communications and navigation based on equipment that could be carried
on their backs. But computers can also be used to great effect in
celestial navigation. The longest voyage ever made, by spacecraft
which have gone to the "gas giant" planets of our solar system, were
guided by computer based celestial navigation systems. And common
desk-top computers can be "taught" everything needed in a matter of
seconds, by loading the appropriate software/database from a floppy.
For example, a program set that I wrote, the Loci StarDB and Loci
3-Space Calculator, perform a sight reduction from an internal star
database. With this tool, a sextant or astrolab, and a chronometer
or WWV receiver, I can find my location on the Earth, for myself.

You may ask, "if my PC can do the navigation, why do I need to under-
stand it?" The reason is that someone must understand it to write the
software when new applications arise (exploration of Mars ?), there
must be people who understand the process to make the required upgrades
to the software. And if the equipment should fail, only a thorough
understanding will allow the operator to pick up where the hardware
left off. This is similar to the car: you can drive a car without
knowing how to repair it or how it works, but you run a RISK, so
don't forget how to walk.

In addition, the future always holds exploration, at sea or in space.
Robot spacecraft will need navigation software, even if manned missions
don't. The same skills transfer to other disciplines such as astronomy,
satellite defense and graphics. Jobs will be open for "navigators"
though the title will be different (mission specialist, staff engineer,
supreme commander, etc.).

Charles Brunow, mission specialist, communications/navigation  clb@loci.uucp

------------------------------

Date:         Fri, 13 May 88 14:16:15 MET
From: Rob van Hoboken <RCOPROB%HDETUD1.BITNET@CUNYVM.CUNY.EDU>
Subject:      Re: moral obligations with security exposures

I have found many bugs and/or security exposures in MVS and as such have had
to think up a reaction to such finds.  I have done the following:

1. create a proof for submission to the manufacturer,
2. send in a documented error report to the technical rep. and a high ranking
   management type of the manufacturer.

   When after several weeks nothing has happened:
3. send the above mentioned trouble report to <trusted> colleages in other
   computer centers, and have them submit a similar report to the manufacturer.

I have made a policy of never going <public> with such exposures because of the
seriousness of the situation.  Consider a computing center being faced with
an exposure in one of its key software systems (e.g. their transaction system).
What options do they have?

1. They can not remove the software from their systems, that would lose them
   millions of dollars PER DAY.
2. They could try to hack a fix for the exposure.  Estimated time of success
   several weeks of <highly qualified> syspro work.  Risks of malfunction of
   the entire transaction system, no support from supplier.  No dice.
3. Monitor abuse of the exposure.  Difficult.
4. Contact the supplier, explain the predicament and suggest you go looking for
   a replacement of his product.  Usually successful, but it takes about half a
   year for a security fix to arrive.

I think it is immoral towards colleages in your site and other centers to
publicly announce a security leak.  Even discussing it with too many syspro
types is risky, because one of them may be a blabbermouth and spill the news
to an unfriendly hacker or newspaper type.  It happens to be our reality
that you cannot close down a system on account of a security exposure if
that system is earning you money.  Fixing it is risky and difficult, so
waiting for you friendly supplier is the best you can do.

In this respect IBM has the best policy I know of:  each contract contains a
clause that a security exposure shall be dealt with within a specific time.
I've seen it work and I am impressed.  Of course some sites never apply the
fix, so not everybody will be covered, but that is their risk.  Other
suppliers (on the IBM market) do not have a similar policy.  I know of
several instances where an exposure was not even fixed after three years.
In one case I persuaded some of my friends to remove the product from their
systems and terminate the contract with the supplier.

I don't want to sound too gloomy, but the morally acceptable method will not
always yield results.  The (in my view) immoral way <may> yield long term
results, but in the period between public exposure and fix your systems are
extremely vulnarable to practically every hacker with assembler knowledge.
In no way can you guard against that many possible perpetrators.

The only argument I can come up with to defend a security through ignorance
policy, is the small number of attempts that will be made on your system.
I <may> be better to keep relatively inexperienced hackers unaware of exposures
when knowledgable folks can find out.  In the worst case it will save you
unscheduled IPLs.

------------------------------

Date: Thu, 19 May 88 07:50 EDT
From: Philip E. Agre <Agre@AI.AI.MIT.EDU>
Subject: Voter registration records and risks to democracy

The following paragraph appears in an article by Alfred Stepan of the
Americas Watch committee (New York Review, June 2nd 1988, p 35) on his
recent visit to Chile to report on human rights and on preparations by
opposition political parties and citizens' groups for the plebiscite on
military rule that is expected sometime in the next year:
  
  An official in charge of running the elections, Ignacio Garcia, told
  me and my Americas Watch colleague Stephen Richard that he would
  release a notarized copy of the registration rolls.  [Commander in
  chief of the Chilean air force] General [Fernando] Matthei went
  further, saying that not only would the registration rolls be
  ``absolutely'' available, but that giving the opposition access to the
  master computer disk on which all voters' names were entered was
  ``crucial'' to a fair plebiscite.  I mentioned these statements by
  government officials in a press conference.  The following day,
  Ricardo Lagos appeared at the elections office with a check and
  unsuccessfully tried to purchase a copy of the registration rolls.
  The list has now been made available, and there is a growing demand
  that the disk be released so that the names on the list can be checked
  against it.  Lagos argues that if the disk is not released, the
  government will be vulnerable to a charge of voter fraud.  However, if
  the disk is released, he and the citizens' free elections committees
  believe it could be used to verify the registration process more
  effectively than was possible either in the Korean presidential
  election or in the election called by Marcos.

It used to be that you could hope to verify something by checking paper
files.  File cabinets full of paper are so clumsy and inert that it is
hard for a government to both operate from day to day and also falsify
its own records in a massive and systematic way.  Nowadays, however,
one can use software and printers to generate an infinite amount of
arbitrarily mendacious paper at minimal expense.  Citizens who would
deter systematic mendacity now need access to the computer records.

If the opposition has computers and technical expertise of its own,
having the registration rolls in machine-readable form might make
whatever checking they can do more efficient.  But what does ``access to
the disk'' mean?  Is Sr. Garcia going to dismount the actual medium and
hand it over to the opposition?  Is he going to spin them a tape copy?
Is he going to let opposition programmers sit at the console of the
election commission computer and rummage around?  Is he going to run a
network cable across Santiago to the opposition headquarters?  In any
case, without effectively complete and continual monitoring of the
computer's software and operations, how can the opposition know that
it's getting the actual registration rolls and not simply the bogus
sources that were used to print the paper listing they've already got?

The idea of the Chilean government owning computers at all is pretty
repulsive.  The same article also reports on the government's new, more
sophisticated methods for inhibiting dissent.  Fewer people disappear
these days.  Instead, people who engage in disapproved political
activity receive a graded series of threats whose administration must
require a formidable database facility.  A typical series might run as
follows (p 32):

  For example, before a kidnapping 1) you receive a phone call at work
  noting with displeasure your involvement in a certain activity; 2) an
  unsigned letter at your home follows, using all three of your legal
  names [a footnote here explains that most Chileans never use their
  full names except on official documents; the letter thus suggests that
  its authors have access to official records]; 3) you get a short
  menacing phone call at home conveying information about your children;
  4) in what appears to be an accident you are knocked to the ground on
  a crowded sidewalk; 5) a decapitated animal is placed on your doorstep
  [the juxtaposition of technology and primitive barbarity is weirdly
  unnerving here]; 6) another phone call -- if you have moved it is
  noted that this move has been observed; 7) you hear a shot in the air
  near your home; 8) you hear an explosion or more often you find an
  explosive nearby that has not gone off; 9) people enter your house and
  tell your husband or wife that the activity you are engaged in is
  dangerous to them and to you and that they should convince you to
  stop; 10) you are kidnapped, interrogated, and released in a day; 11)
  you receive a death threat.

This pattern has become sufficiently institutionalized that a vocabulary
has arisen around it.  Having reached your ``tenth gradation'' of threat
is considered very bad news: disappearances have certainly not stopped.

[...There is indeed an intrinsic problem as to whether the released disk
information was the actual information.  Acceptability of computer records
-- even with cryptoseals, authenticators, or any other digital signature --
is always going to be in question.  Essentially anything can be altered,
spoofed, or forged, given appropriate access.  Even "once-writable" optical
media can be overwritten (albeit asymmetrically)!   "No guarantees"...  PGN]

------------------------------

End of RISKS-FORUM Digest
************************