RISKS@CSL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (01/09/87)
RISKS-LIST: RISKS-FORUM Digest Thursday, 8 January 1987 Volume 4 : Issue 38
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
As the year turns ... (Jeffrey Mogul)
Automobile micros (Hal Murray)
Chemicals in semiconductor manufacturing (Michael Scott)
Cellular -- Ref to Geoff (via PGN)
"Misinformation"?? (Dick Karpinski)
Burnham Book -- A Recommendation (Alan Wexelblat)
Engineering Ethics (Dan Ball)
Re: Stock Market Volatility (Richard A. Cowan)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
(Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM)
(Back issues Vol i Issue j available in CSL.SRI.COM:<RISKS>RISKS-i.j. MAXj:
Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.)
----------------------------------------------------------------------
From: mogul@decwrl.DEC.COM (Jeffrey Mogul)
Date: 8 Jan 1987 1846-PST (Thursday)
To: risks@csl.sri.com
Cc: mills@huey.udel.edu
Subject: As the year turns ...
A number of sites, including my own, have special receivers for the time
signal transmitted by the GOES satellite; the time information comes from
the National Bureau of Standards, and with a properly adjusted setup you can
set your computer's clock to with a few milliseconds. Since the clocks are
somewhat expensive, many hosts instead slave their clocks to one of the
hosts endowed with its own satellite receiver.
The data stream from the NBS tells you what time of day it is, and what day
of the year it is, but it does not say what year it is. The usual practice
is to assume that the local host knows what year it is, and to get the
correct time you combine the satellite clock's time-within-year with your
local knowledge of the year.
Needless to say, this doesn't quite always work. Mostly, it tends
to not work on New Year's Eve, when many of us would rather not be
fixing our computers. Dave Mills does a great job keeping a bunch of
clocks running, on which many other hosts on the Internet depend. This
is his message from early on January 1st:
From: mills@huey.udel.edu
Subject: Ask not for whom the chimes tinkle
To: tcp-ip@sri-nic.arpa, nsfnet@sh.cs.net
Folks, Every year it's the same - I forget UT midnight comes five hours
before the ball drops in Times Square. For an hour and sixteen minutes after
the hoot and holler in Trafalgar Square at least four radiofuzz timetellers
still squawked yesteryear. DCN1, UMD1, FORD1 and NCAR springs have now been
rewound to 1987 and all you guys can forget those whopping disk-usage
refunds. Thanks to Hans-Werner Braun, who reminded me of my annual first
duty of the new year and annual first resolution to figure out how to avoid
paw to keyboard in the absence throughout the world, as far I know, of a
highly reliable electronic way to find out what year it is.
It turns out that as recently as today, several Internet sites are still
stuck in 1986, apparently as a result of the efficient distribution of
faulty time information.
Meanwhile, I thought I had foreseen all eventualities and fixed the
program used here at DECWRL, so that as the year turned it would avoid
becoming confused. The important thing is to be sure not to try to
set the time during a period where the satellite clock thinks it is one
year and the local clock thinks it is a different year. Needless to
say, I got this part wrong, and our clocks promptly jumped ahead exactly
one year. I found at least two bugs in my code, but I still don't
completely understand what went wrong, and I'm sure something is going
to go wrong again next year.
I guess the lesson is that it is wrong to assume that the least
significant bits are the hardest to get right. (One reader of
TCP-IP told of how he had to use a similar year-less time format
when designing a missile-tracking system 20 years ago, and had
to put in special logic to be sure that the system could survive
the confusion on New Year's Eve.) Now, if I could only make it
through January without writing "1986" on any checks.
------------------------------
Date: Thu, 8 Jan 87 12:31:37 PST
From: Murray.pa@Xerox.COM
Subject: Automobile micros
To: RISKS@CSL.SRI.COM
Our hero, Joe, works for one of the "big 3" automakers near Detroit, that
strange corner of the US where everybody a late model American car. One day,
Joe was calmly driving down the highway, accelerating gently, when his car
stuttered a bit. It wasn't a big deal. Most people probably wouldn't have
noticed it. However, Joe's job was programming the small computer that controls
the gas and timing for car engines, so he this behavior caught his attention.
When Joe got to work, he popped the cover off the computer in his car and
took the main chip into the lab. After a bit of work, he managed to
reconstruct the necessary input conditions, and sure enough the glitch was
real. Happy that he had tracked down a minor problem in has car, Joe prowled
around the lab for replacement chip. It didn't take long to find one.
Rather than just installing the new chip in his car, Joe decided to try
it in his test rig. You guessed it, the "good" chip had the same
problem. So did several others - all the ones he found to try.
The story ended there. My guess was a PROM bug, but I didn't get that
from the horses mouth.
Speaking of risks, the first time that GM does a major recall because of
software is going to get a lot of publicity. I'll bet much of it will be
mud for the computer profession rather than teaching the public about
the realities and economics of software.
------------------------------
Date: Thu, 8 Jan 87 15:12:22 est
From: Michael Scott <scott@rochester.arpa>
To: risks@csl.sri.com
Subject: Chemicals in semiconductor manufacturing
Several submissions recently have concerned the risks of miscarriages
and other health problems associated with semiconductor manufacturing.
For anyone interested in the subject, I highly recommend the cover
story of the October 1985 issue of the Progressive magazine: "Dead End
in Silicon Valley" by Diana Hembree. Where recent attention has
focussed on IC fabrication, the Progressive article is mainly about PC
board assembly, where low-paid semi-skilled workers, mostly women, are
reportedly exposed to large numbers of toxic, allergenic, and carcinogenic
chemicals, with a shocking array of side effects. To obtain background
information, Hembree took a job for four months as an assembler at Q.E.S.
Corp. in Santa Cruz. Her story makes pretty grim reading.
------------------------------
Date: Thu 8 Jan 87 11:28:30-PST
From: Peter G. Neumann <Neumann@CSL.SRI.COM>
Subject: Re: re: Cellular -- Ref to Geoff
To: RISKS@CSL.SRI.COM
I had several queries about how could one possibly spoof the cellular phone
system? Some of you will recall the earlier contribution from Geoff
Goodfellow in RISKS-3.10 noting that it is indeed utterly trivial to change
your ID.
------------------------------
Date: Thu, 8 Jan 87 17:24:30 PST
From: dick@ccb.ucsf.edu (Dick Karpinski)
To: davis%oz.ai.mit.edu@xx.lcs.mit.edu, davis@oz.ai.mit.edu, risks@csl.sri.com
Subject: "Misinformation"??
In RISKS DIGEST 4.37
Stock Market Volatility (Randall Davis)
>Date: Wed 7 Jan 87 12:23-EST
>From: Randall Davis <DAVIS%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU>
>...
>4) There's risk in incorrect and incomplete information; there's
>computer-related risk when that information is widely disseminated
>electronically:
> the British telephone billing scam that apparently wasn't;
> the automated bibliographic retrieval system that required keywords
> in the article title (only it didn't);
> ...
>We should be particularly aware of this misinformation risk since it is
>entirely under our control.
I don't recall being satisfied that there was no British phone scam.
What was it that convinced you?
[It is altogether possible that BT is covering up. On the other hand,
their description of the system (by phone, to me) stated that the
READ-AFTER-WRITE check is properly implemented and that there are three
other checks as well. They claim that the Sunday Post will print a
retraction. (As yet no one has reported seeing it.) Of course, there
may be still be other vulnerabilities. RISKS readers are learning to look
the proverbial gift horse in the mouth, as well as the horse you had to
pay a fortune for. PGN]
The bibliographic retrieval system is worse that had been alleged in
the 29 Sep 86 Risks 3.70. It is not a "new policy" according to one
Paul Ryan of the DTIC in 4.23, but a limitation of their software.
But the fact is that only the first five words (including articles
and prepositions) of titles are involved in automatic searches. This
strikes me as an unconsciencable restriction to be removed as soon
as practicable. I would certainly hesitate to count on such a
system. For example, Parnas' seminal CACM article on modularity
("On the Criteria to be Used in Decomposing Systems into Modules")
would only show up in searches for "On", "the", "Criteria", "to",
and "be". What a travesty of search, retrieve, and help!
["To be or not to be..." would show up even more dramatically! PGN]
"We should be particularly aware of this misinformation risk since it is
entirely under our control."
How can I offer to help these poor souls correct (improve) their
shabby software? How else but by discussing these problems can we
become informed about the sad existing conditions?
Dick Karpinski Manager of Unix Services, UCSF Computer Center
UUCP: ...!ucbvax!ucsfcgl!cca.ucsf!dick (415) 476-4529 (11-7)
BITNET: dick@ucsfcca or dick@ucsfvm Compuserve: 70215,1277
USPS: U-76 UCSF, San Francisco, CA 94143-0704 Telemail: RKarpinski
------------------------------
Date: Thu, 8 Jan 87 10:40:59 CST
From: Alan Wexelblat <wex@mcc.com>
To: risks@csl.sri.com
Subject: Burnham Book -- A Recommendation
Some time ago, Dave Taylor (on mod.comp-soc) recommended a book called "The
Rise of the Computer State" by David Burnham. I have purchased this book and
hereby recommend it to RISKS readers. Burnham is an investigative reporter,
so the book tends to have a bit of a sensationalistic streak, but it is very
interesting and covers many topics of interest to RISKS readers. The edition
I have is softcover, published in 1984 by Vintage books for $6.95. It's
ISBN 0-394-72375-9.
People like PGN who collect RISKS-anecdotes may be interested in some of the
stories he tells (like the part played by punch-cards in the 1942 roundup of
Japanese-Americans).
Alan Wexelblat
ARPA: WEX@MCC.ARPA or WEX@MCC.COM
UUCP: {seismo, harvard, gatech, pyramid, &c.}!ut-sally!im4u!milano!wex
------------------------------
To: RISKS@CSL.SRI.COM
Subject: Engineering Ethics
Date: Thu, 08 Jan 87 11:29:37 -0500
From: ball@mitre.ARPA <Dan Ball>
The discussions concerning engineering ethics in RISKS 4.36 and 4.37
overlook what I think is a far more critical contributor to modern
engineering disasters than the personal ethics (or lack thereof) of
individual engineers: the organizational environment in which engineers
must function.
Large engineering projects involve many thousands of engineers, and the
time required to complete them has stretched, in many cases, to over
twenty years. In this environment, it can be difficult for an individual
to feel any personal responsibility for the outcome of the overall project.
Most of the engineers I know are neither "demented" nor "morally wicked."
They are just trying to do their job in the midst of a bureaucracy where
authority is diffused and decisions are made by committee. It is to be
expected that short-term expediency will usually prevail, particularly
when it is difficult or impossible to assess the long-term consequences
of a decision.
The organizational dynamics involved in the development and operation of
safety-critical systems and their effect on the individuals concerned are
submit, far more important than the contemplation of Cicero's ethics.
Although I don't consider Dick Karpinski a "barbarian beast", I question
whether assigning a monetary value to human life would provide additional
insight into the management of risks. I am not convinced that we know
how to predict risks, particularly unlikely ones, with any degree of
confidence. I would hate to see a $500K engineering change traded off
against a loss of 400 lives @ $1M with a 10E-9 expected probability.
I'm afraid reducing the problem to dollars could tend to obsure the
real issues.
Moreover, even if the analyses were performed correctly, the results could
be socially unacceptable. I suspect that in the case of a spacecraft, or
even a military aircraft, the monetary value of the crew's lives would
be insignificant in comparison with other program costs, even with a
relatively high hazard probability. In the case of automobile recalls,
where the sample size is much larger, the manufacturers may already be
trading off the cost of a recall against the expected cost of resulting
lawsuits, although I hope not.
Clearly, though, those of us concerned with safety need to find some
way of seeing that risks are effectively managed in large projects.
It is not enough to act as a perpetual doomsayer standing in the way
of progress. To be effective, safety engineers must be perceived as
helpful and participate in the mainstream of the design activity.
------------------------------
Date: Thu 8 Jan 87 20:31:27-EST
From: Richard A. Cowan <COWAN@XX.LCS.MIT.EDU>
Subject: Re: Stock Market Volatility
To: risks@csl.sri.com
Randall Davis makes the important point that stock market trading
really isn't any more volatile now than before. I agree.
Computers have enabled the VOLUME of trading to go up (probably to a
level where much of the speculation serves no useful economic purpose
to non-speculators), but this does not seem to automatically insure
stock market volatility. Even if computerized trading becomes more
widespread, I would think that any aberrant trades would be quickly
corrected the next day as long there remains some human input into the
trading process. Yet I still see a potential effect.
A book I once read on the Stock Market crash of 1929 noted that in
times of potential panic, large traders would attempt to shore up the
market by buying, to restore confidence in the market. It's possible
that the stability of the present market has a lot to do with this
type of activity. But such "feedback" -- applied by large banks and
brokerage firms -- would not in the foreseeable future be applied
automatically by computer, because the decisions involve analyzing
political events and the psychological mood "on the Street."
If there currently exists a human rudder smoothing the path of the
stock market, I can see why investors might be concerned about
programmed trading. This practice does not run the risk of a
computerized avalanche of domino trades which will drive the market
1000 points up or down in one day. But it may interfere with the
ability of large investors to use their resources as a rudder, in the
event that trading does become volatile for economic reasons.
It is easy to see why the programmed trades get media attention. On
the "triple-witching-hour" days, human beings will have less control
and the market may do unexpected things. If these events are not
announced and explained before they occur, the movement of the market
may set off an avalanche of HUMAN panic selling. Of course, this
would only occur if the preconditions existed were met -- if the
market were viewed to be overvalued, relative to economic performance.
It is true that the news media sensationalizes and often fails to put
stories into historical context; they may seem to enjoy blaming
technology. But consider the motivations of the people from whom the
business press usually get their stories: people in the financial
community. They may find technology a convenient scapegoat for any
problem with the stock market, especially if they have contributed to
setting up the conditions of an overvalued market.
Perhaps the market hasn't reached the point where it is overvalued.
But consider that the head of the MIT Department of Electrical
Engineering and Computer Science, in an open forum on US
competitiveness with Japan last February, said "I think we're going to
have a depression."
Lester Thurow and several other economists are now making frequent
comparisons to 1929, pointing out when large investors finally lost
confidence in the ability of the market to sustain a continued rally
or plateau, they all raced to pull out. Anyway, the point is that
computers will not cause a crash, but could set off a crash that is
bound to occur anyway, and be wrongly blamed for it.
Of course, it is possible that there might not be a crash at all!
When US investors sell, foreign investors will buy up all our stock
and we'll be owned by the Japanese! :)
-rich
------------------------------
End of RISKS-FORUM Digest
************************
-------