RISKS-LIST: RISKS-FORUM Digest Thursday 8 February 1990 Volume 9 : Issue 67 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Shoplifting and Computers (Curtis P. Yeske) New movie Script writer (Olivier Crepin-Leblond) Re: Computers, good and evil (George L Sicherman) The C3 legacy, Part 3: Command-control catches on (Les Earnest) Vincennes' ROEs revisited (Clifford Johnson) SOGS - Hubble Space Telescope software now ready (Rodney Hoffman) AT&T and reentrant code (John A. Pershing Jr) AT&T and error recovery (Jonathan I. Kamens) Dillard's Dept Stores Use SSN as Sales ID - Printed on Receipts (Allen Gwinn) AutoAlarms (Robert J Woodhead) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.0 (j=0) ---------------------------------------------------------------------- Date: Mon, 5 Feb 90 17:01:18 -0500 (EST) From: "Curtis P. Yeske" Subject: Shoplifting and Computers >From AP: ...And, experts say, cameras programmed to watch for known shoplifters may someday be used. "It would be programmed to recognize face patterns and analyze the customers as they walk in," said Bob McCrie, editor of New York-based publication Security Letter. ------------------------------ Date: Wed, 7 FEB 90 09:55:52 GMT From: Olivier Crepin-Leblond Subject: New movie Script writer Taken from ORACLE Teletext Service (Channel 4, UK): "Surveying what's available at your local multi-screen, does the feeling ever creep over you that film scripts must be written by a computer ? You may be right. A recent issue of film mag Hollywood Reporter reveals that a software programme called 'Collaborator' has become available. It's a `story structure and script analysis programme', designed to help screenwriters construct their stories. Somehow the knowledge that it's based on Aristotle's Six Elements of Drama doesn't make me feel any better." Is big brother now controlling my entertainment ? Olivier M.J. Crepin-Leblond, Comp. Sys. & Elec. Eng, Electrical & Electronic Eng, King's College London, UK BITNET : ------------------------------ Date: Tue, 6 Feb 90 21:04:22 EST From: gls@odyssey.att.com (George L Sicherman) Subject: Re: Computers, good and evil (RISKS-9.66) In _Risks Digest_ 9.66 Phil Agre recommends _The Cultural Dimensions of Educational Computing: Understanding the Non-Neutrality of Technology_ by C. A. Bowers. Agre's succinct summary begins: > It is often said that computers are neutral in that, like pencils and > hammers, they can be used for either good or evil. This might be true > on some possible interpretations, but Bowers argues that it is false on > a long list of others. ... Like many scholars who examine our emerging electronic culture, Bowers is running 25 years behind Marshall McLuhan. Here is McLuhan on the subject of "neutrality": In accepting an honorary degree from the University of Notre Dame a few years ago, General David Sarnoff [head of RCA --gls] made this statement: "We are too prone to make techno- logical instruments the scapegoats for the sins of those who wield them. The products of modern science are not in them- selves good or bad; it is the way they are used that determines their value." That is the voice of the current somnambulism. Suppose we were to say, "Apple pie is in itself neither good nor bad; it is the way it is used that determines its value." ... There is nothing in the Sarnoff statement that will bear scru- tiny, for it ignores the nature of the medium, of any and all media, in the true Narcissus style of one hypnotized by the amputation and extension of his own being in a new technical form. ... It has never occurred to General Sarnoff that any technology could do anything but _add_ itself on to what we already are. _Understanding Media: The Extensions of Man_ (1964) To be fair to Bowers, he may be aware of McLuhan's work. I have not yet read Bowers's book so I cannot say. I _can_ say that most of the writers I have read who expound on the unforeseen implications of the electronic age are thoroughly insensible to the unseen implications of the age of print. The risk is that we may regard a necessary consequence of electronic culture as a "risk" to be prevented by suitable countermeasures, because it offends the sensibilities we acquired from print culture. Col. G. L. Sicherman ------------------------------ Date: 05 Feb 90 1523 PST From: Les Earnest Subject: The C3 legacy, Part 3: Command-control catches on (Continuing from RISKS 9.65) As the U.S. Air Force committed itself to the developement of the SAGE air defense system in the late 1950s, new weapons that did not require centralized guidance came to be rejected, even though some appeared to be less vulnerable to countermeasures than those that depended on SAGE. An example was a very fast, long range interceptor called the F-109 that was to carry a radar that would enable it to locate bombers at a considerable distance and attack them. As such, it did not need an elaborate ground-based computer control system. My group at MIT Lincoln Lab had been responsible for integrating earlier interceptors and missles into SAGE. We subsequently joined Mitre Corporation when it was formed from Lincoln Lab's rib and were later assigned the responsibility for examining how the F-109 interceptor might be used. I had assumed that the Air Force was genuinely interested in seeing how the F-109 could best function in air defense. Accordingly, we worked out a plan in which the interceptors that were in service would be deployed to various airfields, both civilian and military, so as to make them less vulnerable to attack. This dispersal together with their ability to function with minimal information about the locations of attacking bombers appeared to offer a rather resiliant air defense capability that could survive even the destruction of the vulnerable SAGE system. When we published a utilization plan for the F-109 based on these ideas, The Air Force made it clear that we had reached the "wrong" conclusion -- we were supposed to prove that it was a bad idea. We apparently had been chosen to "study" it because, as designers of SAGE, we were expected to oppose any defensive weapons that would not need SAGE. In order to deal with the embarrassing outcome of this study, a Colonel was commissioned to write a refutation that confirmed the ongoing need for centralized computer control. The Air Force insisted that anyone who requested our report must also get a copy of the refutation. Mitre necessarily acceded. In any case, the F-109 was never built in quantity. The seductive image Though the designers of SAGE came to recognize its weaknesses and vulnerabilities and the Air Force should have been reluctant to build more systems of the same type, it somehow came to be regarded as the model of what the next generation of military control systems should be. Never mind that it was essentially useless as a defense system -- it looked good! The upper floor of each SAGE command center had a large room with subdued lighting and dozens of large display terminals, each operated by two people. Each terminal had a small storage-tube display for tabular reference data, a large CRT display of geographical and aircraft information (with a flicker period of just over one second!), and a light gun for pointing at particular features. Each terminal also had built-in reading lights, telephone/intercoms, and electric cigar lighters. This dramatic environment with flickering phosphorescent displays clearly looked to the military folks like the right kind of place to run a war. Or just to "hang out." Downstairs was the mighty AN/FSQ-7 computer, designed by MIT using the latest and greatest technology available and constructed by IBM. It had: o A dual-processor nonstop timesharing system. The off-line computer was usually either undergoing preventive maintenance or was following the actions of the online computer so that it would be ready to take over if that machine failed. In this respect it was similar to the commercial nonstop systems developed much later by Tandem and its followers. o The computer was composed of rows of glimmering vacuum tubes spread over an area about the size of a football field, with lots of large magnetic drums used both for secondary storage and as communications buffers. (Magnetic disks had not yet been perfected.) o It used the recently-invented magnetic core memories in the largest and fastest configuration yet built: 256K bytes with 6 microsecond cycle time. Each of the two main memories was packed into the volume of a shower stall, a remarkable density for that period. o A gigantic air conditioning system was required to suck all the heat out of the monsterous computer. Remarkably, all of this new technology worked rather well. There were some funny discoveries along the way, though. For example, in doing preventive maintenance checks on tubes, a technician found one that was completely dead that had not been detected by the diagnostics. Upon further examination it was discovered that this tube didn't do anything! This minor blunder no doubt arose during one of the many redesigns of the machine. Both the prototype and operational SAGE centers were frequently visited by military brass, higher level bureaucrats, and members of Congress. They generally seemed to be impressed by the image of powerful, central control that this leading-edge technological marvel had. Of course, General Lemay and his Strategic Air Command could not sit by and let another organization develop advanced computer technology when SAC didn't have any. In short order the SAC Control System was born. Never mind that there was not much for it to do -- it had to be at least as fancy as SAGE. When the full name was written out, it became Strategic Air Command Control System. The chance juxtaposition of "Command" and "Control" in this name somehow conjured up a deeper meaning in certain military minds. In short order, Command-Control Systems became a buzz word and a horde of development projects was started based on this "concept." The Air Force Systems Command soon realized that it had discovered a growth industry and reorganized accordingly. The specifications for the new C2 systems generally contained no quantitative measures of performance that were to be met -- the presumption seemed to be that whatever was being done already could be done faster and better by using computers! How wrong they were. (Next segment: Command-control takes off) -Les Earnest (Les@Sail.Stanford.edu) ------------------------------ Date: Mon, 5 Feb 90 17:12:48 PST From: "Clifford Johnson" Subject: Vincennes' ROEs revisited (Horn, RISKS-9.66) > By specifications I refer not to the engineering documents used > in building the shipboard equipment. I mean the laws and > treaties governing the behaviour of combatant and non-combatant > in areas of conflict. They did and do have direct relevance to > the computer systems. I for one specifically complained that the U.S. Rules Of Engagement, as implemented and acted upon in the Vincennes incident, were in violation of international law. In this context, the comment of retiring ex-Chairman of the Joint Chiefs of Staff *Admiral* Crowe stated in an interview that the biggest change in the military in his lifetime was the change in ROEs, whereby U.S. ships now fired first instead of waiting for a confirmed attack. He stated that missile technology meant you couldn't risk being hit first any more. ------------------------------ Date: 7 Feb 90 09:50:33 PST (Wednesday) From: Rodney Hoffman Subject: SOGS - Hubble Space Telescope software now ready In RISKS 8.46, Paul Eggert summarized M. Mitchell Waldrop's article "Will the Hubble Space Telescope Compute?" which appeared in 'Science' magazine 17 March 1989, pp 1437-1439. The story said "critical operations software is still a mess -- the victim of primitive programming methods and chaotic project management." Supposedly completed in 1986, bugs were still turning up as fast as the programmers could fix them, and the system, the $70 million Science Operations Ground System (SOGS), ran at only one-third optimum speed. According to the article, the Space Telescope Science Institute, the program managers, were counting on faster computers plus better algorithms plus some (unspecified) AI techniques to fix SOGS. They were confident that SOGS would be ready when the telescope was launched. Last week, the 'Los Angeles Times' ran a lengthy story about the Space Telescope, but the article did not mention the software. I called the reporter, and he said that he had been at the Space Telescope Science Institute along with other reporters including Waldrop. He says that Waldrop and others did indeed bring up questions about the software, and they were simply told that it's all fine now. We'll soon see. The Hubble Space Telescope is to be launched from the shuttle in an upcoming mission. ------------------------------ Date: Thu, 8 Feb 90 09:55:35 EST From: "John A. Pershing Jr." Subject: AT&T (RISKS-9.62) and reentrant code Reading between the lines of the AT&T pronouncements on the Jan-15 failure, it sounds to me (as a systems programmer) that the "bug" was a reentrancy problem. Specifically, the recovery routine was not reentrant. Under the old way of handing recovery, a single "I'm OK" message would indicate that the previously failed switch was back in service; in the new scheme, the recovery of the failed switch was signalled when new call-setup messages started flooding in, causing the recovery routine to be reentered. This is sheer speculation on my part; can anyone out there who is "in the know" either confirm or deny this speculation? John Pershing IBM Research, Yorktown Heights ------------------------------ Date: Mon, 5 Feb 90 19:35:52 -0500 From: Jonathan I. Kamens Subject: AT&T (RISKS-9.66) and error recovery In a paper entitled "Assuring Quality and Reliability of Complex Electronic Systems: Hardware and Software", published in the January 1988 Proceedings of the IEEE, Edwin A. Irland (who has a whole list of past work for Bell Labs and related companies and whose current position (according to the reprint I have) is as the Assistant Vice President of Switching Analysis and Reliability Technology for Bellcore in Red Bank, NJ) writes the following, which I think is very much apropos: ... The subtlety of these methods implies an important source of unreliability; unreliable error recovery. Thus it is important that system testing pay meticulous attention to fault simulation to uncover weaknesses in the recovery. Data taken on electronic switching systems show that failure to recover from simplex faults is usually a significant source of total outage time.... A "significant source" indeed... Jonathan Kamens, MIT Project Athena, jik@Athena.MIT.EDU Office: 617-253-8495 ------------------------------ Date: Mon Feb 5 20:29:31 1990 From: allen@sulaco.Sigma.COM (Allen Gwinn) Subject: Dillard's Dept Stores Use SSN as Sales ID - Printed on Receipts Subject: DILLARD'S VIOLATING CONFIDENTIALITY - PUBLISHING EMPLOYEE SSN'S Newsgroups: misc.consumers,misc.headlines,misc.legal,dfw.general Summary: Sanctions possible against employees who don't comply Keywords: publish, social security numbers, invasion of privacy On February 4, 1990, Dillard's Department Stores (headquartered in Little Rock, Arkansas) began using employee's personal Social Security numbers for their employee I.D. and sales associate numbers. These Social Security numbers are visible and, for the time-being, NOT "scrambled" enabling any customer to obtain the Social Security number of any sales associate. Dillard's plan is to begin "scrambling" the numbers anywhere from two weeks to a month according to various sources. After this process, "nobody will be able to identify [the number] as a Social Security number" according to Ed Auffert, Assistant to the General Counsel. Mr. Auffert added that after the scrambling "gen" has been added to the system, all employees will be required to use their Social Security numbers. According to a memorandum distributed to all employees recently, employees "must" use their "nine-digit sales numbers" in order to "insure credit for sales rung." The memorandum states that the "terminals will accept three-digit sales numbers" in the interim. In store announcements and other management sources at the Dillard's Department Store at Northpark Center in Dallas have indicated that sales data may not be accurate on employees continuing to use their older three-digit sales codes. Since this data is used to evaluate employee performance, this could mean that employees not desiring to divulge their Social Security numbers to the public could eventually be disciplined or discharged. When contacted personally, Northpark store manager Peter Rodriquez confirmed that employees might be "disciplined" for choosing not to use their personal Social Security numbers even in the interim period (prior to computer "scrambling" of the employee's SSN). After being advised of the intent to use this information as part of a Usenet article, he refused to comment any further and referred further contact to W.R. "Bob" Applebee a regional director for Dillard's in Fort Worth Texas. Mr. Applebee, when contacted by phone, stated emphatically that the "policy (on the use of Social Security numbers until the encryption was complete) had been rescinded." He stated that at present no employees "anywhere in the Dillard's store system" were using their Social Security numbers. Further, Mr. Applebee stated that these numbers were "not visible on any printed cash register receipts." Contrary to Mr. Applebee's claims, a subsequent check of the Dillard's store in Northpark Center produced several receipts with employee Social Security numbers clearly visible as the sales I.D. As to the "encryption" method to be used, Dillards officials were unable to provide any details. At least one source familiar with this project feels that it would be possible to decrypt these numbers if comparisons could be made against other encrypted Social Security numbers. For the mean time, Dillards officials maintain that there is "nothing illegal" about what they are doing. They agree that there are going to be employees that disagree with this policy, but seem to convey the feelings that these people are free to seek employment elsewhere. More details will be relayed to the appropriate groups as they become available. Any comments on the matter may be emailed to 'dillard@sulaco.sigma.com' or 'sulaco!dillard'. Any comments received are subject to being relayed to Dillard's headquarters in Little Rock ANONYMOUSLY IF SO INDICATED. Contacts : W.R. Applebee, Regional Director (817) 831-5428 Ft Worth, TX Ed Auffert, Asst to General Counsel (501) 376-5200 Little Rock, AR Peter Rodriquez, Northpark Store Mgr. (214) 373-7000 Dallas, TX Others either unable to be contacted or refusing comment: William Dillard, II, President (501) 376-5200 Little Rock, AR Gene Baker, Advertising (817) 831-5111 Ft Worth, TX ------------------------------ Date: Tue Feb 6 17:30:00 1990 From: trebor@biar.UUCP (Robert J Woodhead) Subject: AutoAlarms Fortunately for many of us, after about 40 years of intense debate in the automotive industry on this complex and challenging "lights on" problem, some manufacturers are adding a simple device that alerts you if your lights are on when the ignition is off. These range from a simple analog "BReeee!" in my Chevy Blazer to digital (shudder!) voice synthesis in some upscale foreign yuppiemobiles. I for one rate this innovation right up there with Post-It Brand Notes, Microwave Popcorn and VCR's in it's subtle yet sweeping effect on the whole of Western Society. ;^) Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP ------------------------------ End of RISKS-FORUM Digest 9.67 ************************