RISKS@SRI-CSL.ARPA (RISKS FORUM, Peter G. Neumann, Coordinator) (06/16/86)
RISKS-LIST: RISKS-FORUM Digest, Sunday, 15 June 1986 Volume 3 : Issue 8 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Challenger, SDI, and management risks (Dick Dunn) Re: Risks from inappropriate scale of energy technologies (Chuck Ferguson) Distributed versus centralized computer systems (Peter G. Neumann) Privacy legislation (Michael Wagner) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j available in SRI-CSL:<RISKS>RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Date: Fri, 13 Jun 86 12:24:29 mdt From: nbires!rcd@ucbvax.Berkeley.EDU (Dick Dunn) To: risks-request@sri-csl.arpa Subject: Challenger, SDI, and management risks The Challenger failure has an implication for SDI that I've not seen discussed much. I regard the solid-rocket failure as primarily a management failure and only secondarily an engineering failure. Why? Because according to the Rogers group reports, there had been serious concern with the possibility of failure of the O-ring seals, but it got lost or suppressed along the way. Challenger's ill-fated launch was apparently made in spite of best engineering advice to the contrary. How does this apply to SDI? I'll give a sketch; I hope that other people will add more. SDI is under fire from several places (substantial part of Congress, various public-interest groups, many influential technical people). It is therefore important for the supporters (willing and/or appointed) of SDI to present a convincing case that SDI can "do the job." There is tremendous pressure to justify SDI. Translate this into "there is tremendous pressure to argue the case that SDI can be built and can work-- whether or not it really can." To be blunt, there is a tremendous incentive to cover up any potential inability to build an SDI system or any inadequacy once it is built. Of course, if the SDI system is built, and is used, and fails, there will be much more lost than seven lives and some megabucks of hardware. (I have a hard time typing the word "terabucks":-) There probably Wouldn't even be a presidentially-appointed blue-ribbon investigative committee... The hard questions: Do we have a way to manage a project of the magnitude of SDI that will give us any halfway-reasonable assurance that the project will work? Is there any technique that can be applied to reward those who discover problems and punish those who cover them up, instead of the other way around? (My own experience, unfortunately, tells me that these aren't really hard questions. Rather, they are questions which are easily answered "no!" The difficulty in managing any large project, particularly one which involves a lot of software, is legendary.) In summary, I'm saying that Challenger failed not for technical reasons-- I believe that the technical problems are real but surmountable--but for managerial reasons. Further, I think that we need to talk about SDI feasibility in more than technical terms; we need to address whether we could manage the project even if all of the technical problems were surmountable. The answer is anything but a clear "yes". Dick Dunn [From The New York Times, Sunday, 15 June 1986: New York - The ''Star Wars'' anti-missile plan has been seriously and extensively damaged by the Challenger disaster and other setbacks in the American space program, aerospace analysts say. Officials of the anti-missile defense program, formally called the Strategic Defense Initiative, deny any serious damage to the program, but aerospace experts say the problems within the space program have sent shock waves through research programs. ... ] ------------------------------ Date: Thu, 12 Jun 86 20:06 CDT From: Chuck Ferguson - SCTC <CTFerguson@HI-MULTICS.ARPA> Subject: Re: Risks from inappropriate scale of energy technologies To: RISKS-FORUM Digest <RISKS@SRI-CSL.ARPA> In RISKS-3.6, Michael Natkin states: The public has long been duped into the idea that centralized energy management has its best interest in mind as we develop ever increasing electrical capacity. But centralized reactors and other "hard" technologies are extremely susceptible to terrorist attack and other failures, as has been mentioned before. Centralized power supplies may be "extremely susceptible" to terrorists but their susceptibility to failure is not as high as being claimed. It is true that the consequences of a failure might be great; however, for a large centralized power plant it is economical to expend greater resources to prevent their failure (e.g., redundancy) than for the components of a distributed system. Furthermore, I submit that all current power systems have some degree of distributed or redundant functionality to allow periodic maintenance shutdowns if for no other reason. I further submit that there is a significant risk associated with distributed systems which is being ignored. Many such systems are themselves dangerous when poorly maintained or operated improperly. There are also hazards associated with storing combustible fuels near a dwelling or other populated area. Witness the following: o How many chimney fires have you heard about since the "energy crisis" began? A fireplace is a relatively low-tech device yet some people manage to make them dangerous. o Why is it that several houses burn down at the start of every cold season? An oil-fired furnace is a relatively low-tech item also, yet every year someone's gets choked with soot and catches fire. o Ever heard of a methane gas explosion in a sewer system? I recently heard an amusing story about a manure fire at a horse ranch - ten years worth of horse manure had been piled in one place until one day it spontaneously caught fire. One would be surprised how much damage some people can do with low-tech alternative energy. To paraphrase one of the better known 'computer security experts' [emphasis added], "Terrorists can never compete with incompetents". I wonder whether more people lose their lives each year in the commercial production of power or in incidents similar to the above. With respect to the public "being duped" - sounds like another conspiracy theory to me (yawn). Chuck Ferguson, Honeywell, Inc., Secure Computing Technology Center ------------------------------ Date: Sun 15 Jun 86 22:32:04-PDT From: Peter G. Neumann <Neumann@SRI-CSL.ARPA> Subject: Distributed versus centralized computer systems To: RISKS@SRI-CSL.ARPA Although Chuck's note does not seem as closely related to RISKS as some of his past contributions, it suggests various additional comments. A myth of distributed computing systems is that distribution avoids centralized vulnerabilities. WRONG! The 1980 ARPANET collapse gave us an example of an accidentally propagated virus that contaminated the entire network. The first shuttle synchronization problem is a further example. By distributing what has to be trusted, there may be more vulnerabilities -- unless the distributed components are TOTALLY autonomous -- in which case we are not really talking about DISTRIBUTED systems, but rather SEPARATE systems. Security flaws in the systems and networks can result in transitive vulnerabilities, or permit global compromises by iteration. Further, the point raised by Chuck regarding maintenance is an important one in distributed computer systems, especially if some of the distributed sites are remote. Well, then, you say, let the field engineers dial up the remote site. But then that path provides a monstrous new vulnerability. Then we get solutions like the remote backup scheme proposed a while back that gets special privileges... Also, remember the fundamental flaws in the standard two-phase commit protocols, three-clock algorithms, and so on. Once again it might be useful to consider truly robust algorithms such as interactive consistency and Byzantine agreement. However, for every more complex would-be technical solution there are often further technical problems introduced. For every assumption that things have gotten better there seem to be even grosser counterexamples and further vulnerabilities outside of the computer systems. Thus, It is folly to trust software and hardware if an end-run can bypass or compromise the trusted components. But it is also folly to assume that sabotage is significantly less dangerous just because a system is distributed. That may be true in certain cases, but not generally. Peter [Please excuse me if I have repeated some things that I said in earlier RISKS in a different context.] ------------------------------ Date: Sat, 14 Jun 86 11:26:37 edt From: ubc-vision!utcs!wagner@seismo.CSS.GOV (Michael Wagner) To: risks@sri-csl.arpa Subject: Privacy legislation (RISKS-3.6) >A news clipping from this morning's "Los Angeles Times" (page 2, The News >in Brief): > > The House Judiciary Committee voted 34 to 0 for a bill seeking to > bring constitutional guarantees of the right to privacy into the > electronic age. The legislation would extend laws that now protect > the privacy of the mails and land-line telephone conversations to also > cover electronic mail and some telephones that use radio waves. Does anyone have any idea how the last part (radio telephones) could be legally supported in view of other legal freedoms? I thought that one was free to listen to any frequency one wished in the US (Canada too). You don't have to trespass to receive radio signals. Contrast this with the mails. The privacy of the mails is supported by property laws. That is, you put your mail into a box which belongs to the post office. If anyone breaks into that box (or the van which picks up the mail, etc) they are breaking property laws. Similarly for land lines. One has to 'trespass' to tap a land line. It seems to me that the legislators have 'extended' the laws over an abyss. Or have I missed something? The relevancy to RISKS, of course, is that most people don't think about the technology that radio-telephones use. I'm sure most people assume "it's a phone - it's (relatively) safe". Not true, of course. In fact, some people have used their own handsets to make phone calls on other peoples phones! Michael Wagner [I do not recall having pointed out in this forum the ease with which the cellular phone schemes can be spoofed, e.g., getting someone else to pay for your calls. There is another security/integrity problem waiting to be exploited. PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------