RISKS-LIST: RISKS-FORUM Digest Wednesday 11 January 1989 Volume 8 : Issue 4 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: M1 Plane crash (Nigel Roberts) $4.5 M Child Support Computer to be Scrapped in VA (Dave Davis) Eelskin wallets erase mag strips? (Jane D. Smith) Firearms Arrive in the Electronics Age (Allen) Unused city computer system set aside after 4 years, $4M (Stephen W. Thompson) Re: Hackers' Conference versus CBS (John Gilmore) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Wed, 11 Jan 89 03:02:40 PST From: roberts%untadh.DEC@decwrl.dec.com (Nigel) Subject: M1 Plane crash "DISASTER BECOMES A MATTER OF ROUTINE There is no pattern to the proliferation of disasters. Lockerbie was a bomb on a middle-aged jet, blown to pieces high over a Scottish town. Flight BD-92 was a spanking new jet which somehow (inevitable speculation) seems to have contrived to lose both engines limping in to land at Castle Donington. No suggestion of a bomb, though the flight was Belfast- bound; and --- compared to the carnage of Lockerbie --- enormous strokes of good fortune. You cannot, surveying the debris strewn across the M1 (freeway), quite visualise how so many passengers survived, nor calcualte the odds against the doomed Boeing ploughing into a string of cars and lorries; nor those against fire engulfing the scene. In a way, the horror of BD-92, like Clapham Junction, like King's Cross even, is easier to come to terms with. It was justone of those things: mechanical (or, possibly, human error.) Inquiries may be conducted, reports published. There are things that can be done. Engines to be checked. Software to be scrutinised. Training to be tightened. And, beyond such simple reactions, of course, there will be more political questions. How rigorous and independent are Civil Aviation Authority checks? Do they take too much for granted, because the FAA has already pronounced an aircraft safe? Have all the lessons of Manchester been learned and acted upon? What are the risks for two engined planes? We have been constantly informaed that the chances of both engines failing are millions to one, so that such airliners now cross the Atlantic as a matter of routine. But the odds may have shortened somewhat over Kegworth on Sunday night. There is a broader sense, though, in which the M1 disaster brings no comfort at all. It was a failure of technology; or maybe some element of human incapacity to deal with technology. There is supposed reassurance in hi-tech. The machines take over, to blind-land a jumbo, or put man into space. Eliminate human error. Leave it to the computers. But that is too blithe. Week after week, month after month, hi-tech planes fall out of the sky. Because they are military jets, and fall usually into the sea or on some deserted hillside, they do not command the headlines. (Though when, as a few weeks ago, they plough into the centre of a West German town, all that changes). They are not safer because of their extreme sophistication; on the contrary, they are dangerous because human beings, no matter how relentlessly trained, are not sophisticated enough to command their infinite complexity. And so, in civil aviation too, the new, replacing the middle aged, does not automatically spell greater safety. We must, in short, begin to budget for disaster. Watch the jets stacked over Heathrow or Gatwick and there is a feeling of living dangerously, of disasters waiting to happen. As they occur, they will not necessarily alter the basic calculations. It will still, statistically, be safer to take a flight to New York, than your car for a Sunday spin. The growth in air traffic cannot be checked; nor can the demand for new, more complex planes. There is, here, a sense of challenge. Airports within a few hundred yards of motorways; jets wheeling to land over cities. Lockerbie and Castle Donington are very different cases, united only by their fear and pity. The odds against them happening with a handful of days, like the odds against two engines failing, were millions to one. But disaster, it seems, has a way of rendering odds meaningless." --- 'The View from Britain', leader article in _The Guardian_ newspaper, Tuesday January 10 1989 [Several of this evening's news programs report the possibility of a computer problem or cross-wiring error that might imply it was not pilot error... PGN] ------------------------------ Date: Wed, 11 Jan 89 07:54:07 -0500 From: dave davis Subject: $4.5 M Child Support Computer to be Scrapped in VA From the 24 Dec 88 issue of the Washington Post comes an article about yet another failed software development project. The system was to disburse child support payments for the State Dept. of Social Services...The state paid $4.5 M for the system in 1985... problems with the system caused delays up to six months in issuing payments... The state is now seeking a completely new system [now that it has figured out its requirements, apparently] for $10M, to be installed in two years. The article further states: "the state bought Unisys' proposed package outside of normal competive bidding practices, a move a state auditors' report later found was made in an 'atmosphere of panic and haste'...welfare officials never checked to see if the system would do what the company promised." It appears that the state officials involved didn't exercize the kind of management care that a more routine non-technical procurement would have received. Dave Davis, McLean, VA ------------------------------ Date: 10 Jan 89 15:44:03 GMT From: jds@uncecs.edu (Jane D. Smith) Subject: eelskin wallets erase mag strips? From a report on NPR's All Things Considered program 1/9/89: A spokesperson for a distributor of eelskin wallets responded to the apparently widespreading rumor [SEE RISKS-6.25] that eelskin wallets erase the magnetic strip information on credit cards and ATM cards of their owners. Sales of eelskin wallets have dropped as wary consumers boycott the alleged mag strip eaters. The magnets used as closures for the wallets are the real culprits, however, and the spokesperson said the manufacturers were now using smaller magnets as closures or using conventional snap closures. Caveat emptor! -- Jane Dunlap Smith UNC-ECS Information Services ------------------------------ Date: 10 Jan 89 11:30:27 EST From: ALLEN@s56.prime.com Subject: Firearms Arrive in the Electronics Age This item appeared in Business Week Nov 28, 1988: Electronic Gun Colt industries Inc has filed for US and European patents on a handgun with an electronic firing system. Pulling the trigger would move a magnet past the solid state switch, triggering a circuit that releases the hammer. It would be more reliable and cheaper than mechanical systems, says the company. In addition, putting chips in pistols would make it possible to add a digital display that warns when the gun is loaded and shows how many shots are left. And that could just be the beginning of new "user friendly" features for tomorrow's firearms. Now, I'm not a "hardware type" (maybe they're thinking of microcoding the gun :-)?), but after reading recent RISKS articles that discuss such things as electromagnetic interference with army helicopters, etc., it seems that the risks attendant with the device described above should be prohibitive. This firearm design seems just plain absurd! Other points: whatever happened to the tried-and-true engineering philosophy of "simplest best"? An electronic firing system in a handgun seems, say, Rube Goldberg-ish, yes? Furthermore, with your little digital display, all the excitement of playing Russian Roulette would disappear. ------------------------------ Date: Mon, 09 Jan 89 15:07:47 -0500 From: "Stephen W. Thompson" Subject: Unused city computer system set aside after 4 years, $4 million Organization: Institute for Research on Higher Education, Univ. of Pennsylvania The following article comes from the 6 January 1989 (Friday) Philadelphia Inquirer, front page. In this city where the government is widely criticized on every front, it raises questions of incompetence and poor management. It also, however, raises questions about whether cities out to be involved in software development. Unused city computer system set aside after 4 years, $4 million By Dan Meyers, Inquirer Staff Writer After at least $4 million in expenses and more than four years of frustration, the City of Philadelphia has shelved a computer system it bought -- but never used. Officials in the Finance Department had pitched the system in the early 1980s as an efficient way to track information on payroll, pensions and personnel. "Has it worked?" City Councilman John F. Street asked at a hearing this week. "No it has not," said Deputy Finance Director Peter A. Certo, the latest supervisor of the project. Certo said the total cost has been at least $4 million. Street put it at $5 million. The system now is in storage. For the current fiscal year, which began in July, the Finance Department had budgeted more than $400,000 for a 13-member team to work on the computer system. * In May, however, with Mayor [Wilson] Goode facing a $79 million budget deficit and calling for a cut of 2,000 people in the city workforce, Finance director Betsy C. Reveal decided to put the program on hold indefinitely. She did not respond to requests for comment. "We didn't really scrap it," said Certo. "We put it on the back burner." Records in the city controller's office show the project was scuttled by mid-September. The failure of the system was mentioned Wednesday in a hearing on another matter of the Appropriations Committee, which Street chairs. "Council members really though we'd been burned" on the Finance Department project, Street said. * [Overall problems with city funding finally brought the computer system's development to a halt.] The computer tapes, programs and consultant reports have been put in storage and could be "resurrected" when the city can afford to pursue them, Certo said. Certo said the problem was that it was difficult to adapt a computer system to the myriad peculiarities of the city. And he said it would have taken additional staff and money to get the computer system working. According to Certo, the project was underfunded from the start. When it was mothballed, the computer program was at least six months away from working, Certo said. Others were skeptical of the ability of such departments as Finance to oversee complicated computer projects. "Systems like this are difficult to install and should be left to professionals to do," said Eugene L. Cliett Jr., director of the Philadelphia Computing Center, an office created by Goode to oversee city computer projects. The computer project was under discussion at least as early as 1982, under the administration of Mayor William J. Green, according to controller records. The plan was to take a software package -- computer programs already designed by a company -- and modify it to the city's particular needs. The city chose not to order a custom-designed computer system because the cost would have been double or triple, Certo said. By early 1984, the city had entered into a $1.4 million contract with American Management Systems to develop a computer system that would combine, in easily digestible form, data on city employees. "Time is of the essence," the contract said. Numerous consulting contracts followed, totalling at least $214,000, according to controller records. Much of the rest of the cost was for city staff assigned to the project. The system initially was to include information on three areas -- payroll, pensions and personnel. All had, and still have, separate computer systems. The pension board pulled out of the project shortly after it began. "We have a system now that is 30 years old and it pays people every week but doesn't give us a lot of management information we'd like to have," Certo said. The computer system that was supposed to cure that problem was slow in taking shape, however. "We spent two years modifying the package and in the course of that period found things we felt wer not addressed adequately by AMS," Certo said. At one point, he said, the list of problems was at least 85 items long. AMS consultants began to phase out of the work and the city Finance Department took it over. But one department or another objected to the results, Certo said. "We were constantly changing things," he recalled. "We tried to accommodate everyone." Finally, in the city budget crunch, Reveal decided to abandon the long-standing project, at least for the moment. So at a time when the city could most use precise information that could help the city run more efficiently, the Goode administration has determined that it cannot afford to pay for it. "You're damned if you do and damned if you don't," Certo said. "We decided not to do it." ------------------------------ Date: Mon, 9 Jan 89 18:13:34 PST From: gnu@toad.com (John Gilmore) Subject: Re: Hackers' Conference versus CBS I was at the Hackers' Conference whose blatantly slanted news coverage was recently reported in The Institute and Risks. I created a transcript of the CBS news segment the evening it was aired; it is below. Reading it is interesting; while CBS never lied, they juxtaposed material from different sources to make a strong impression that we were criminals. Note in particular what was happening on the screen while various things were said (e.g. showing a "combat" video game while talking about us as revolutionaries, showing Cliff Stoll giggling about mice and playing with a Yo-Yo). BTW, there *was* the obligatory shot of tape drives, I seem to recall. CBS was given special access in order to film the conference; the rest of the press was only allowed there on Sunday. Needless to say they will NOT be invited back (and I will personally escort them off the property even if they show up on Sunday). Unfortunately, that's not enough. The producer of the show guaranteed that the attendees' image of hacking, rather than the distorted, media-generated image of hacking, would be presented. He broke that promise, with a vengence, but boycotting CBS won't help. (Fred Peabody produced the Hackers coverage. He went to ABC, working on 20/20, according to Glenn Tenney, who ran the Hackers Conference. Be sure you don't let him *near* anything you are doing -- if you want fair and unbiased coverage.) John Gilmore Transcript of CBS News segment on the Hackers Conference filmed 7 Oct 88, aired 8 Oct 88. Anchorman ("High Technology" logo and drawing of chip): An unusual conference is under way near San Francisco. The people attending it are experts on a technology that intimidates most of us, but has changed the way we live. John Blackstone reports. Narrator (trees and outdoor scenes at conference): A small revolutionary army is meeting in the hills above California's Silicon Valley this weekend, plotting their next attacks on the valley below, the heart of the nation's computer industry. They call themselves computer hackers. Jonathan Post: "The people who are gathered here changed the world once; if we can agree on where to go next, we're gonna change it again." Narr (conference scenes, blinking lights): What hackers have learned to do with computers has changed the world, for both good and bad. They're the people who dreamed of and built the personal computer industry. But the same kind of talent is creating never before dreamed-of crime. Because for a computer, the only difference between a hundred and a million is a few zeros. Donn Parker, (SRI International, in office): "And so, in fact, criminals today I think have a new problem to deal with: and that is how much should I take. They can take any amount they want." Narr (phone central office): Telephone companies are the most victimized because those who break into phone company computers can link up for free to computers around the world. Richard Fitzmaurice (Pacific Bell, in office): "You'll hear the term computer hacker, computer cracker; we call them computer criminals." Narr (blinking lights): But much more frightening are the hackers who crack American military computers. Earlier this year in a lab that does some classified research, astronomer Clifford Stoll discovered someone had broken into his computer. He says it was like finding a mouse running across the floor. Stoll (in office): "You watch and you see, he's going in that hole over there, and you say, ooh, he's going in that hole; that connects to a network that goes to a military computer, in Okinawa." Narr (Stoll playing with a yo-yo in a machine room): The breakins to American military computers went on for several months. Eventually Stoll traced them to a hacker in West Germany. Donn (in office): "A hacker today is an extremely potentially dangerous person. He can do almost anything he wants to do in your computer." Narr (at conference, video games, stabbing and fighting on screen): But at the hackers' camp in the hills, there's recognition that in any revolutionary army there will be a few rogues and criminals. But that's no reason, they say, to slow down the revolution. ``John Blackstone, CBS News, in the hills above Silicon Valley.'' ------------------------------ End of RISKS-FORUM Digest 8.4 ************************