risks@sri-csl (09/17/85)
From: RISKS FORUM (Peter G. Neumann, Coordinator) <RISKS@SRI-CSLA.ARPA>
RISKS-FORUM Digest Monday, 16 Sep 1985 Volume 1 : Issue 14
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
Peter G. Neumann, moderator
Contents:
Pitfalls of a Fail-Safe Mail Protocol? (Peter G. Neumann)
Some Ruminations on an Ideal Defense System (Bob Estell)
SDI, feasibility is irrelevant (Gopal)
Note on contributions:
Let me remind you all that your contributions to RISKS should be objective,
nonpolitical, nonpersonal, and on the subject of the Forum. Some of you
have been drifting away from the charter. In fact, I rejected a message
from John McCarthy that seemed to violate the nonpolitical criterion,
although in hindsight that was probably a subjective decision. John
accepted that decision, but suggested that you could communicate
privately with him if you were curious. PGN
(Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA)
(FTP Vol 1 : Issue n from SRI-CSL:<RISKS>RISKS-1.n)
----------------------------------------------------------------------
Date: Mon 16 Sep 85 20:25:57-PDT
From: Peter G. Neumann <Neumann@SRI-CSLA.ARPA>
Subject: Pitfalls of a Fail-Safe Mail Protocol?
To: RISKS@SRI-CSLA.ARPA
After reading the case of the double posting of hundreds of millions of
dollars in RISKS-1.11, some of you apparently experienced the multiple
posting of RISKS-1.13 -- all original mailings time-stamped Sat 14 Sep 85
23:43:07-PDT, all complete, and all identical. Brint Cooper, for example,
received THREE identical copies at various time intervals.
Received: from brl-aos.arpa by TGR.BRL.ARPA id aa20274; 15 Sep 85 3:23 EDT
Received: from sri-csl.arpa by AOS.BRL.ARPA id a017885; 15 Sep 85 3:18 EDT
Received: from brl-aos.arpa by TGR.BRL.ARPA id a021160; 15 Sep 85 4:47 EDT
Received: from sri-csl.arpa by AOS.BRL.ARPA id a018065; 15 Sep 85 4:35 EDT
Received: from brl-aos.arpa by TGR.BRL.ARPA id a022055; 15 Sep 85 6:31 EDT
Received: from sri-csl.arpa by AOS.BRL.ARPA id a018257; 15 Sep 85 6:17 EDT
The new ARPANET message protocols are supposed to be fail-safe (never losing
a message, retrying sensibly after a failure, and eventually returning
undeliverable mail with a NAK), network-efficient (transmitting single
copies to each host and letting that host redistribute), and reliable (never
garbling a message) -- although they cannot guarantee message authenticity
in the presence of tampering.
After consulting with my Foonly-TOPS-20 gurus (Geoff Goodfellow, Mark
Lotter, and Dwight Hare), we discovered that just after I mailed RISKS-1.13
late Saturday night, Foonly's David Poole brought our system down and up
(several times?) after midnight PDT for installation of a 100% memory
increment. Each time he brought it back up, the mailer seems to have
restarted sending some of the previously queued messages -- how many I do
not know. It is NOT SUPPOSED TO DO THAT, but that is the most plausible
explanation at the moment. If you again receive multiple copies, please
remail them back in their entirety to Geoff@SRI-CSL (and we'll hope that you
don't blow his mailbox). Geoff insists the protocol is sound, so let's let
him in on the glitch-hunt! Meanwhile, we'll follow a bunch of possibilities.
Analogous to the time-out problem described in RISKS-1.11 causing
double-posting of millions of dollars, a similar problem can arise in the
ARPANET if a receiving host does not acknowledge soon enough, causing a
time-out and retry -- even though the message was successfully received.
This has been known to happen, but probably not repeatedly, as in the
RISKS-1.13 duplication.
Sorry for the inconvenience. We will take several measures to try to
prevent a recurrence, but if there is a real bug in the protocols or in
their implementation, then we will just have to slug it out until it is found.
Peter
------------------------------
Date: Mon, 16 Sep 85 12:21:52 PDT
From: estell@NWC-143B
Subject: Some Ruminations on an Ideal Defense System
To: risks@sri-csl.arpa
SOME RUMINATIONS on AN IDEAL DEFENSE SYSTEM 16 SEP 85 [RGE]
WHAT ARE THE CHARACTERISTICS OF AN IDEAL DEFENSE SYSTEM?
(Never mind that it does NOT exist - and likely will not in my lifetime.)
1. Useful ONLY on the defensive; incapable of use as an offensive weapon.
2. Effectiveness: 100%.
3. Reliability: 100%.
4. Cost: Cheap. So economical to manufacture and deploy that everyone who
needs one (or two) could have it.
5. Simple to use; requires no training; requires no "technology base."
6. Easy to maintain; essentially never wears out, or breaks.
7. Side effects of use or possession: None.
EXAMPLES OF SYSTEMS THAT DO NOT MEET THE IDEAL REQUIREMENTS.
1. Planes, ships, tanks, guns, and bombs - of any size.
2. Chemicals, gas, germs, etc.
EXAMPLES OF SYSTEMS THAT MIGHT - or might not - SUFFICE.
(They clearly won't satisfy all the above requirements.)
1. SDI - whatever that turns out to be, a few billion $ from now.
2. MX - NOT the expensive "new" systems recently voted, but simple
modifications of older, reliable, affordable technology. The key
is the nature of the modifications. This isn't the place to say more.
WHY THIS PROPOSAL IS WORTH LOOKING AT.
1. The technology is mature, affordable, and operational.
2. The super-powers can USE this proposal, this year, or next.
Not just the USA and the USSR; but a few other nations, too.
3. The "trouble makers" who haven't yet demonstrated the maturity to
abstain from rash use of a "doomsday" device can't use this idea.
4. It saves money; and buys time - precious time, in which we can
learn to trust each other, and to respect our differences -
accepting the fact that "... east is east and west is west,
and never the twain shall meet ..." [Kipling]
WHY THIS PROPOSAL WILL BE RESISTED - perhaps EVEN DISCARDED.
1. Not many vendors will win multi-year, multi-billion contracts to
develop and manufacture these systems. That has largely been done.
2. Not many career officers and bureaucrats will get multiple promotions
for the development and deployment of these systems; again, that's done.
SOME CONFESSIONS ABOUT MY MOTIVES.
I believe that Americans and Russians, Christians, Moslems, Jews, Buddhists,
atheists, agnostics, capitalists, communists, socialists, pacifists, hawks,
doves, owls, and others CAN live together; not in "harmony" - but in some
civility, with respect. My belief is based on two facts:
1. The lion and the lamb may never lie down together, but the lion and the
antelope presently share the veldt; blood is shed, but genocide does not
occur. It's elsewhere called the "balance of nature." There is even some
evidence that the process improves the strain of antelope - and lion.
2. I cannot accept gross demeaning judgments made about a people who produce
some of the world's really great classical music. Tchaikovsky, Borodin,
and others have composed the best - in my opinion. I believe that the
Russians love their country, their families, their music, and the Almighty
- by whatever name He may be called - just as we do; and, like us, they fear
(or at least don't enjoy the thought of) death, starvation, disease, hatred,
suspicion, etc. Why are they so "defensive" - an enigma wrapped in a
mystery, surrounded by a riddle? (or whatever exact phrase Churchill
turned in '48) Their land was invaded twice in the lifetime of their most
recent leaders - men born before WWI. The losses of life were catastrophic;
almost 25% of the adult male population died each time - though the WWI
figures get blurred with the totals from their own revolution. And those
weren't the first times; Napoleon did it in the 19th century, and the
Mongols did it earlier. That plus the oppressive cold of a lingering
winter give them a somewhat different world view.
But in a quarter century, they, like us, have NOT pushed the button. That
speaks well for their responsibility.
Our REAL problem - in the USA and the USSR and the third world - indeed in the
entire world - is NOT communists, not Arabs, not any organized government, nor
religion; it is terrorists - criminals; men of desperation, who when armed will
extract their needs by violence, and damn the consequences. We have more than
our share of such trouble-makers; they have attacked many of our prominent
citizens recently: John and Robert Kennedy, Martin Luther King, Jr., Ronald
Reagan, Patty Hearst, and Malcolm X are examples easily remembered.
If some of the money spent now on weapons can be re-invested in research in
medicine, in electronics for space exploration, in agriculture, etc. there will
be no loss of income for the scientists and business men now supplying the
Pentagon. True, many of them will have to adapt; but then, they do that now.
The arms of WWII just don't sell today. A Technology Base that supports
sophisticated weapons to kill people can adapt to kill viruses; to guide
rockets to the distant galaxies, instead of missiles to distant cities; to
detect bombs of terrorists, instead of bombs of military commandos. I will
have to be one of those who adapt; my employer, the Naval Weapons Center, must
adapt too. We are intellectually capable of doing that.
RGE
------------------------------
Date: 16 Sep 85 11:09:56 PDT (Monday)
Subject: Re: SDI, feasibility is irrelevant (Response to McCarthy)
To: RISKS@SRI-CSL.ARPA
From: Gopal <Gopal.es@Xerox.ARPA>
Your analogy to SDI of a duelling gunman putting on a bullet-proof vest
seems slightly flawed, but your overall point is well taken:
The vest is far from being bullet proof...and the vest dose not
exist yet. The gunman has just thought about making one, after many
fruitless years of holding guns at each other. It is likely that he may not
succeed in making a vest that stops any bullet. The other gunman knows this.
But IF he should succeed, THEN, the status quo is broken immediately:
the very fact of possession of a bullet proof vest indicates that he can
turn the outcome decisively in his favor. This clearly will be perceived
as an act of hostility by the worst-case-strategists at the Kremlin. If
I were them, I would not sit by idly, twiddling my thumb: I would launch.
Sure, the gunman trying to make the vest has promised to give one to
the other gunman also, so there would be no hostility. But, WHEN he has
one, he would not give it away. The strategists do not plan on the basis
of goodwill. They would wait until a 'crisis' develops that forces them
to make a hard choice: share SDI or die.
Would they get rid of the guns, once each one has a vest to stop
bullets? Not likely. We all know that when he was the only gunslinger in
town, he opted to keep that gun in case the other guy gets hold of
one...but now he can't get rid of his gun BECAUSE the other guy has one
too! If there is enough goodwill to get rid of the guns with vests, it
should be even more feasible to get rid of them now, without having to
incur the cost of the vests. Such goodwill simply does not exist while
there is also fear.
If SDI should succeed, even partially, (that is, if the monkey should
reach the moon, at least partially, by climbing the tree) then the only
option would be to share SDI with the other guy. Even after sharing
SDI, we are still bound by fear, of a different kind: what if one
develops a way to take out the other guy's SDI somehow by first strike
and tip the scales in his favour? Another president will come along to fund
this project, because the other side "already started on it and we don't
want to compromise national security". The other side, of course, needs
no excuses like this. And, history will repeat...and repeat.
SDI does not solve the basic nature of the conflict in purpose that
national leaders must exhibit: They must get rid of the guns to make
peace and rid their people of fear, and they must protect national
security. These are clearly not compatible goals in a world of hostile
Governments. The Governments of the world hold the people hostage to
fear and insecurity, much like a handful of gun-slinging gangsters
holding a vast majority hostage to fear of crime.
I admit that it is much easier to shoot down an idea (like SDI) than to
offer an easy alternative in a complex problem like this. But let this
not be a reason to adopt a faulty approach like SDI.
Well, 'nuff ramblin' on SDI. By the way, October issue of Science '85
magazine has a cover story on "RISKS: How it is perceived" and I thought
it was quite thought-provoking and may help us understand how
SDI-like-risk is perceived by the people. I highly recommend reading it.
Gopal
[This message is marginally on the subject -- assuming the original
message was. I'm not sure whether it sharpens or blunts the
would-be analogy, but let's blow the whistle on the bullet-proof
vest at this point. Thanks. PGN]
------------------------------
End of RISKS-FORUM Digest
************************
-------