FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Lawsuit over specification error (Martyn Thomas)
Hacking Illegal in UK - Official! (Pete Mellor)
NSA Press Release on NCSC reorganization (Jack Holleran)
No computers on Washington State ferries (David B. Benson)
Re: Discover Card (Will Martin)
Re: proposed ban on critical computerized software (Al Arsenault)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
CONTRIBUTIONS to RI...@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-...@CSL.SRI.COM.
TO FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
cd sys$user2:[risks]<CR>GET RISKS-i.j <CR>; j is TWO digits. Vol summaries in
risks-i.00 (j=0); "dir risks-*.*<CR>" gives directory listing of back issues.
ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
THE MOST RELEVANT CONTRIBUTIONS MAY APPEAR IN THE RISKS SECTION OF REGULAR
ISSUES OF ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, UNLESS YOU STATE OTHERWISE.
Date: Thu, 30 Aug 90 12:16:29 BST
From: Martyn Thomas <m...@praxis.co.uk>
Subject: Lawsuit over specification error
According to Flight International (29 Aug-4 Sept, page 13), Northwest Airlines
is suing CAE Electronics over a fatal aircraft crash in 1987 which Northwest
claim was partly caused by inaccuracies in a CAE flight training simulator.
The crash occurred when the crew attempted to take off without deploying flaps
and slats; according to the NTSB report, the crew failed to carry out the
checklist, and an unexplained electrical failure caused the take-off warning
system to fail to warn them.
Northwest claim that the simulator shows a warning system failure if the power
fails to the warning system, whereas the aircraft system fails silently. They
also claim that the crew selected go-around on the flight director, from
take-off, and the result was an additional pitch-up command of 6 degrees,
whereas the simulator effectively inhibits go-around from take-off.
CAE says the claim is frivolous and without merit.
This claim seems to me to suggest (a) that once again, aircrew do not
understand the side-effects (pitch-up, in this case) of flight-director
commands (which I believe means that the systems are too complex). I also
believe that the claim demonstrates the importance of formal specifications for
critical systems such as simulators - on this evidence, a simulator used for
crew training in emergency procedures is *itself* a safety-critical system.
(Presumably it should therefore require certification in the same way as an
in-flight system of equivalent criticality. Does anyone know the certification
requirements for simulators?)
Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel: +44-225-444700. Email: m...@praxis.co.uk
Date: Thu, 30 Aug 90 19:55:57 PDT
From: Pete Mellor <p...@cs.city.ac.uk>
Subject: Hacking Illegal in UK - Official!
The Computer Misuse Act came into force on Wed. 29th August 1990.
It introduces three new offences:
- 'Unauthorised access': a basic offence committed by anyone who seeks
to enter a computer system knowing that the entry is unauthorised.
Punishable by up to six months imprisonment.
- 'Unauthorised access' in furtherance of a more serious crime.
Punishable by up to five years imprisonment.
- 'Unauthorised modification of computer material': Introducing viruses,
Trojan horses, etc., or malicious damage to computer files.
Punishable by up to five years imprisonment.
The act was the result of a private member's bill introduced by Michael Colvin
MP (Conservative), which was supported by the government.
Extract from the Guardian, 29.08.90, p.2 [PM's comments in brackets]:
Headline: New hacking law 'too hard to enforce'
By-line: Owen Boycott
Peter Sommer [in true Grauniad style, they mis-spelt his name "Summer"],
author of the Hacker's Handbook [under the nom-de-plume "Hugo Cornwall"],
who opposed the need for new legislation, said yesterday he feared that doing
away with the criminal damage law [??? !!! See *1 below] would make it more
difficult to prosecute malevolent hackers.
"They are creating more difficulties for this offence than before," he said.
The new and untried legislation might be open to challenges on the definitions
of the wording of the act.
Scotland Yard's four-strong [!! *2] computer crime squad will be enlarged to
cope with the extra work expected. But yesterday, one member said: "It will
depend on people being aware a new crime exists, and reporting offences to
us. Previously they were not certain what was a crime and what wasn't. [*3]"
During the passage of the bill, the police argued for greater powers to tap
computer lines and force telecommunications companies to pursue hackers.
They were resisted by the bill's author, the Tory MP, Michael Colvin, who
believes the act will prevent damage by computer hacking. [*4]
He said: "Information technology is so much a part of a company's business,
that a hacker in the computer system is as bad as someone sabotaging the
"It is vital companies become far more computer security conscious. Over the
last five years the Department of Trade and Industry has recorded 270
computer crime cases. Only five were brought to court.
"Some have said the offence (in the act) does not go far enough, but it gives
the police powers to enter and search premises...once they have gone to a
judge for a warrant."
Although the estimates of the annual cost of computer crime have ranged up to
[Pounds sterling] 1 billion, most is fraud committed by employees using
computers for crimes that would otherwise have involved paper forgeries.
There are a few cases of hackers breaking in from systems outside companies
and extracting large sums. But cases of hackers breaking into systems and
damaging computer files are increasingly common.
Fears that there will be a sudden round-up of young computer enthusiasts
who have been hacking are unlikely to materialise. Like almost all
legislation [almost??], the Computer Misuse Act is not retrospective.
The DTI [Department of Trade and Industry] has welcomed the act, and hopes
it will encourage companies to take more care over systems' security. [*5]
End of extract
*1 Criminal damage is an offence that has nothing to do with computing, and
it has certainly not been 'done away with'. Since Peter Sommer is acutely
aware of this, I suspect that the Grauniad has garbled his words. I can
envisage a future prosecution involving both the offences created by the
new act *and* the old offence of criminal damage (which was the charge
under which Nicholas Whiteley was sent down for four months a short while
ago: see RISKS-10.03, 10.09, 10.10). A police spokesman was quoted at the
time as saying that the new act would not have made it any easier to
convict Whitely. Peter Sommer has always argued that this existing offence
is adequate for prosecuting a hacker who has caused actual damage.
*2 Wow! Those guys are really taking this problem *seriously*!
*3 [Censored, even though disemvoweled (as in *br*dg*d or s*n*t*z*d). PGN]
*4 Nice to meet an optimist! The plea for increased police power to intercept
communications was supported by Emma Nicholson, MP, whose earlier bill
failed for lack of parliamentary time - See RISKS-10.03. It is a fact of
human psychology that people are *not* deterred by a stiff penalty from
indulging in a profitable or enjoyable (but illegal) activity which has a
low probability of being detected. See, for example, H.J. Eysenck: "Sense
and Nonsense in Psychology". Eysenck cites the cases of sheep stealing in
18th century England, which persisted at a high rate though punishable by
hanging, and of his own family's flight from Nazi Germany *with* the family
jewels, when removing assets (but not fleeing in its own right) was
punishable by death. If you want to stop hacking, make it certain that
hackers will be caught. So why do I not support Nicholson? Because I'm a
pinko liberal and prefer my communications untampered with even if it
slightly increases the opportunity for undetected crime.
5* Fat chance! If anything, it will make them more complacent. To his credit,
Colvin does criticise system owners who are lax about security, and regards
their slackness as a dereliction of their duty to their users (RISKS-10.03).
BTW, we await the test case with baited breath.
As for the future of hacking? Well, as someone said when prostitution was made
illegal in New Orleans (or was it Paris?):
"They may make it illegal, but they'll never make it unpopular!"
Peter Mellor, Centre for Software Reliability, City University, Northampton Sq.
London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 p.me...@uk.ac.city (JANET)
Date: Thu, 30 Aug 90 15:56 EDT
From: Jack Holleran <Holl...@DOCKMASTER.NCSC.MIL>
Subject: NSA Press Release on NCSC reorganization
The following is the press release approved on August 20, 1990 by the
National Security Agency:
The National Security Agency (NSA) has announced that the National
Computer Security Center (NCSC) will be functionally realigned to enhance its
capability to respond to network and system information challenges. The NCSC
was created by the Department of Defense in 1981 to provide needed emphasis on
computer security and serve as a center of technical expertise.
The restructuring, which has been under consideration for some time, will
serve to facilitate the integration of the Agency's communications security
technical expertise and the computer security development and evaluation
process to better assure systems oriented solutions to system security
problems. The restructuring was prompted by increasing recognition that
current user applications virtually eliminate traditional distinctions between
telecommunications and information systems such that a functional merger of the
communication security and computer security disciplines was necessary to
effectively address network and system security issues.
The NCSC will continue to operate as a separate reporting element of NSA's
Information Systems Security Directorate. Patrick Gallagher, a senior NSA
official and Director of the NCSC, will be responsible for assuring that the
integration of communications security and computer security technical
expertise strengthens the NCSC's effectiveness in the development of criteria
for and the evaluation of information systems.
Agency officials emphasized that all NCSC activities will continue and
that this convergence of resources and skills from the two disciplines is
intended to enhance the NCSC's ability to fulfill its responsibilities and
effectively meet new challenges. These responsibilities include providing
technical support to activities of the National Institute of Standards and
Technology under the Computer Security Act of 1987 (P.L. 100-235). NCSC
remains committed to providing this support and to fostering the availability
of secure products to protect U.S. Government classified information as well
as unclassified and sensitive information, to the extent such technology has
application, is economically advantageous, and is consistent with the Public
Law. All of the NCSC's commitments to its industry partners regarding product
and system evaluation will continue to be met.
Date: Wed, 29 Aug 90 18:07:51 pdt
From: dbe...@yoda.eecs.wsu.edu (David B. Benson)
Subject: No computers on Washington State ferries
As the silly season draws to a close, it is time to note that the reporter
quoted in the RISKS item beginning
(From The Lewiston Morning Tribune, June 30, 1990)
SEATTLE--The Orcas Island ferry dock, badly damaged when
a state ferry rammed it, ...
was wrong regarding the following sentence:
Ferry operations superintendent Don Schwartzman
said it appeared the ship's computerized power supply
control system failed to respond to commands.
Followup stories confirmed what every ferry lover already knows: There are no
computers on Washington State ferries. All were removed several years ago.
[Or else the superintendent did not know that the computers had been
removed, as reported was going to happen way back in RISKS volume 4. PGN]
Date: Thu, 30 Aug 90 14:28:31 CDT
From: Will Martin <wma...@STL-06SIMA.ARMY.MIL>
Subject: Re: Discover Card
I tried to respond to "Brian M. Clapper <clapper@chekov>" by mail, but can't
find a host named "chekov" anywhere in the NIC host tables, when trying to make
the address given into something replyable-to.
[He has a decidedly noncompliant mailer. That is
what his mail said. Try cla...@nadc.navy.mil . PGN]
His comments on the Discover Card didn't ring a bell with me, so I dug
around my own Discover Card paperwork. First off, Mr. Clapper said there
was no PIN associated with the card, but not only did I receive a PIN
with mine, but there was a form to fill out and send in to get another
form (!) to request a specific PIN. You need the PIN to use the card in
certain ATM networks to get cash. (I've never done that, by the way.)
Secondly, he said the 800 number was written on the back of the card.
There is no number on the back of my Discover Card.
The Discover literature I have is full of the number 1-800-858-5588 (to call to
report a lost/stolen card, etc.). I called that number just now to see if I'd
get the automated interface he described, and, lo and behold, I instead get an
intercept recording that says, "The 800 number you have dialled has been
disconnected. No further information is available about this number." [!] I
find that rather astounding -- even if Discover switched numbers, they still
should have a cross-reference to the new number. The only thing that comes to
mind is that Discover changed 800 carriers, and the one that has 858 doesn't
want to give any business to whatever firm took over the Discover account.
I do consider it a "RISK" that the number cited in the cardholder's literature
as the one to call about a lost or stolen card does not work and has no
forwarding or cross-referencing to the current correct number.
I didn't bring a recent bill with me, so I don't have their current 800 number
to compare with this. I found a different "customer service" number in the
paperwork, too (1-800-451-4451), but it gets the same intercept recording. Glad
I found this out now, rather than when I had an urgent need to call them! I'll
see if I can locate a current number and update this info in case I need it
Since I couldn't try out the automated response system for Discover, I took a
chance and called the number on the back of my AT&T "Universal" Card (MC
version). They have one, also. I waded thru the menus and found out that they,
too, do not ask for a PIN but they *do* ask for the "ZIP code of your billing
address" as verification. I think that is a good compromise. I never carry the
card PINs with me, nor have them memorized, since I never use the functions
that require them. So this is something I *do* know and that would be at least
some deterrent to a thief who has someone else's card. If he has the whole
wallet, with ID and cards, though, he'll have that ZIP (probably).
Date: Thu, 30 Aug 90 17:54 EDT
From: Al Arsenault <AArse...@DOCKMASTER.NCSC.MIL>
Subject: Re: proposed ban on critical computerized software
While I am certainly not in favor of letting your typical computer program/
system be given full control (with no chance for override or other
intervention) of safety-critical situations, I am bit disturbed by a blanket
call for banning computers from being used in such environments at all. It
strikes me as a little odd that no one has seemed to mention the drawbacks of
such a ban.
For example, I throw out the following questions without knowledge of
the answers, but hoping that those who have called for this ban have
carefully thought through all of them:
(1) suppose that computers are banned from intensive care units? How
many extra people are going to be needed? What is the chance of a human error
occurring, with people instead of machines? Furthermore, what equipment will
be used in place of certain computerized monitors? (This one hits close to
home, folks. A computerized heart monitor notified Intensive Care nurses and
cardiologists that my father was having a heart attack, resulting in his living
five more years instead of diying then and there. The cardiologists on duty
both commented that it was lucky the hospital had installed the monitors the
previous week, as there was (to their knowledge) no other equipment that would
have alerted them in time to save his life.)
2. If you ban computers from early warning systems (assuming that
you need such beasts), what are you going to use? Do you have any idea how
many extra people it would take? Or what the chance would be of an error
caused by the sheer boredom of these people? Or what the chance would be that
no response would be taken when needed, because of an inability to collate data
in time? While I believe that letting a computer be in total charge is RISKy,
to say the least, I believe that taking computers totally out of the loop would
be far more RISKy.
3. If you ban computers from flight control systems, what do you do
about the increased wear and tear of the electromechanical parts that replace
them? What do you do about the increased strain on the pilots? Again I am not
advocating letting computers have complete control of the aircraft (as I pilot
myself, I certainly don't wnant that). However, I think that the tradeoffs
need to be carefully considered before one advocates such an extreme measure as
a total ban.
In summary, while I do NOT believe that computer hardware/software is of
sufficient quality as to be trusted with the sole stewardship of human life, I
DO believe that the decision as to whether or not to automate should be made
after a careful analysis of the RISKS of both potential decisions, not just the
RISKs of automating.
Al Arsenault Visting Professor, Computer Science U.S. Air Force Academy
[***Visiting?*** Or a Chair endowed by Col. R.Visting? PGN]
End of RISKS-FORUM Digest 10.27