RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (07/27/88)
RISKS-LIST: RISKS-FORUM Digest Tuesday 26 July 1988 Volume 7 : Issue 28
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Pentagon testing (Mike Trout)
Re: "Man in the Loop" (Rodney Hoffman)
NOVA on risks of fighter technology (Dave Curry)
Re: Hacking central office switches (Laura Halliday)
Law student sues micro sysop under ECPA (John Gilmore)
Scanning instant-win lottery cards (Rich Kulawiec)
Wanted: Info on Ergonometrics (Emily S. Bryant for Michael Whitman)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM.
FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) /
get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).
----------------------------------------------------------------------
Date: 25 Jul 88 21:21:13 GMT
From: miket@brspyr1.brs.com (Mike Trout)
Subject: Pentagon testing (an oxymoron) (Re: RISKS-7.24)
In article <12415398632.18.NEUMANN@KL.SRI.COM>, Gary Chapman writes:
> Subject: Aegis testing data withheld from Congress
> Defense Week reports that an unclassified report of the General Accounting
> Office (GAO) reveals that the Navy withheld testing problems of the Aegis
> air defense system from the Congress. "Personnel and Aegis equipment were
> not subjected to targets or tactics that would be found in combat," ...
This is typical of Pentagon testing, and seems to be particularly prevalent in
the Aegis system. An interesting parallel concerns the testing for the Phalanx
close-in shipboard missile defense system, which of course is included as part
of the Aegis umbrella. The Navy's final results of the testing conducted for
Phalanx reported that the system had achieved greater than 80% "success." But
what was the definition of "success?" Pentagon watchdog groups did a little
digging with the Freedom of Information Act, and determined that "success" had
been interpreted as "destruction of the incoming missile." Well, that seemed
okay, so most investigations were dropped. But some whistle-blowers in the
Pentagon produced some disconcerting information. While it was true that
simulated incoming missiles had indeed been "hit" and "destroyed," it had been
determined that the debris and rocket fuel of the destroyed missile would
continue onward and hit the ship, causing tremendous impact and an inevitable
fire. It was estimated that this would be enough to destroy or knock out
nearly any vessel. But since the simulated missiles had been "destroyed," the
Navy proudly announced that Phalanx had passed the test. Empirical evidence
from the Falklands war makes the Phalanx testing look even less realistic.
Only one of the Exocets hitting Royal Navy ships exploded, yet the dud Exocets
still did hellish damage, including sinking two ships. It also appears that
the missile that hit the USS _Stark_ did not go off.
Another example uncovered by the Dina Rasor group: A mobility/breakdown test
was conducted for the new M-1 Abrams tank. The tank failed the test. The test
was run again, with identical results. The Aberdeen Proving Grounds was
instructed to just keep running the test until the tank passed. On the 161st
try, the tank passed the test. The testing information provided to Congress
included only that which pertained to the 161st test; the previous 160 tests
were not even mentioned.
Rasor has also uncovered suspicious changes in the testing for both ALCM and
GLCM (Air- and Ground- Launched Cruise Missiles). Recent stories of doctored
test results for the Rockwell B-1B are similar.
In any system in which hardware or software is to undergo a realistic test, it
is critical that ALL test results be released, unaltered. Any other course of
action changes the test from a realistic simulation to a public relations
gimmick. In the case of software written for a computer game, the results of
doctored testing may be comical. In the case of a military weapon, the results
may be disastrous.
Michael Trout (miket@brspyr1) =-=-=-=-=-=-= UUCP:brspyr1!miket
BRS Information Technologies, 1200 Rt. 7, Latham, N.Y. 12110 (518) 783-1161
------------------------------
Date: 26 Jul 88 07:38:52 PDT (Tuesday)
From: Rodney Hoffman <Hoffman.es@Xerox.COM>
Subject: Re: "Man in the Loop"
I recently posted excerpts from Peter Zimmerman's article about AEGIS and Star
Wars and the "man in the loop". Just in case it wasn't clear, all but the lead
introductory sentence of that was from Peter Zimmerman, not directly from me.
Anyone wishing a copy of his complete article may contact me.
I completely agree with Will Martin and Bill Murray when they each insisted on
adding to Zimmerman's piece a stronger statement about HUMAN fallibility.
In my initial posting, I thought I would let Zimmerman speak for himself. In
light of the responses, I probably should have appended my own reactions. In
particular, I believe many lessons implicit in Zimmerman's piece (and familiar
to all RISKS readers) are well-taken. Among them:
* The blind faith many people place in computer analysis is rarely
justified. (This of course includes the hype the promoters use to
sell systems to military buyers, to politicians, and to voters.)
* Congress's "man in the loop" mandate is an unthinking palliative,
not worth much, and it shouldn't lull people into thinking the problem
is fixed.
* To have a hope of being effective, "people in the loop" need additional
information and training and options.
* Life-critical computer systems need stringent testing by disinterested
parties (including operational testing whenever feasible).
* Many, perhaps most, real combat situations cannot be anticipated.
* The hazards at risk in Star Wars should rule out its development.
Rodney Hoffman
------------------------------
Date: Mon, 25 Jul 88 16:59:49 EST
From: davy@intrepid.ecn.purdue.edu (Dave Curry)
Subject: NOVA on risks of fighter technology
WTTW (Channel 11), the Chicago PBS station, showed a commercial last night
for a NOVA episode on the risks of fighter plane technology. The preview
blurb mentioned questions like is there too much data for the pilot to keep
track of, are G's too great, etc.
I would assume other PBS stations will have this episode at some point also
(I'm not a regular watcher of PBS or NOVA, so I don't know how they work).
WTTW is showing it on Tuesday 7/26/88 at (I believe) 9pm EDT.
--Dave Curry, Purdue University
------------------------------
Date: Mon, 25 Jul 88 14:30:38 PDT
From: Laura_Halliday@mtsg.ubc.ca
Subject: re: Hacking central office switches
John T. Powers Jr. writes (Risks 7.27):
> It would have been easy for them to make this kind of activity much harder
> than it evidently was. ...
When I worked for BCTel, we had an even simpler solution: remote access to
the console was over dedicated lines. Grossly unsophisticated, but effective.
laura halliday laura_halliday%mtsg.ubc.ca@um.cc.umich.edu
------------------------------
Date: Mon, 25 Jul 88 22:09:35 PDT
From: hoptoad.UUCP!gnu@cgl.ucsf.EDU (John Gilmore)
Subject: Law student sues micro sysop under ECPA
This appeared in a recent FidoNews (comp.org.fidonet on Usenet).
The FidoNet is a few thousand IBM PC's all calling each other over
dialup lines; similar to Usenet; less flexible; evolving faster.
Copyright 1988 by the International FidoNet Association. All
rights reserved. Duplication and/or distribution permitted for
noncommercial purposes only. For use in other circumstances,
please contact IFNA at (314) 576-4067. IFNA may also be contacted
at PO Box 41143, St. Louis, MO 63141.
FidoNews 5-30 Page 3 25 Jul 1988
Jonathan D. Wallace, Esq.
1:107/801
SYSOP LIABILITY FOR DISCLOSING PRIVATE MESSAGES
In what appears to be the first case of its kind, an Indiana law
student and BBS user has sued a local sysop, Bob Predaina, in
federal court, claiming that he intentionally disclosed her
private electronic mail to others without her permission.
The lawsuit, which is in the early stages and has not reached
trial, relies upon the Electronic Communications Privacy Act of
1986 (the "ECPA"), which makes disclosure of private electronic
mail without consent either of the sender or the recipient a
federal crime.
The ECPA does not obligate sysops to offer private mail on their
systems. However, if a sysop promises private mail, that promise
must be kept and the contents of private messages may not be
disclosed without consent.
The ECPA provides limited exceptions to the general rule of no
disclosure. A sysop may voluntarily disclose to law enforcement
authorities the contents of a message pertaining to the
commission of a crime, if read inadvertently by him or if it is
read pursuant to the exercise of his duties as a sysop.
Until the courts clarify these rules, sysops who read private
mail on their systems and disclose it may be playing with fire.
Prior court cases involving telephone operators have established
some useful guidelines: an operator may disclose information she
overheard while checking the line at the user's request, but may
not disclose information overheard while eavesdropping out of
curiosity. Sysops, like phone operators, will not be considered
to have a blanket authorization to intercept and disclose private
messages.
Systems such as Fido 11w which routinely make all
private mail visible to the sysop are therefore problematic. BBS
programmers should consider making private mail truly private--
while allowing sysops to turn the private mail option off if they
do not want it.
In the meantime, sysops should reconsider whether it is
worth having private mail on their systems and should make clear
to users in no uncertain terms, through bulletins and messages,
the degree of privacy which can be expected, if any.
Note: a copy of the complaint filed in the Thompson v.
Predaina case is available on the LLM BBS, Fido 107/801
(212)766-3788) in file area 5 under the name "Indiana".
* * *
JONATHAN D. WALLACE, ESQ. is an attorney in New York
City specializing in computer law. With Rees Morrison, he is the
author of the Sysop's Legal Manual, published this year by LLM Press.
He can be reached at (212) 766-3785 (voice) or at the LLM BBS,
given above.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The same issue of FidoNews also contains a relevant ad:
SYSOP LEGAL MANUAL FOR SALE
SYSLAW, the Sysop's Legal Manual,
by Jonathan D. Wallace Esq. and Rees Morrison Esq.
This 130 page book, newly published by LLM Press, includes
chapters on the Electronic Communication Privacy Act, sysop
liability for illegal uploads such as pirated software and stolen
credit card codes, libel and state computer crime laws. The book
is $21.00 (includes postage and handling) from LLM Press, 150
Broadway Suite 610, New York, New York 10038. New York residents
include 8.25 percent sales tax.
[This item is included in RISKS because the book might just answer
questions that have been raised here repeatedly. This notice
represents no endorsement of the book, and is for your information
only. On one hand, much of the cited information is publically
available. On the other hand, its compilation and interpretation in
one place might be useful -- assuming the book is accurate. If this
redistribution in RISKS can in any way be deemed in violation of the
FidoNet banner above, then perhaps FidoNet itself was in violation of
its own noncommercial dictum. By the way, RISKS is unquestionably a
noncommercial effort, in case you hadn't noticed. PGN]
------------------------------
Date: Tue, 26 Jul 88 01:43:27 EST
From: rsk@payton.cc.purdue.edu (Rich Kulawiec)
Subject: Scanning instant-win lottery cards (Re: RISKS-7.27)
Fred Baube <fbaube@note.nsf.gov> writes:
"Even if they make instant-win lottery cards immune to non-
destructive testing by X-ray, aren't there small CAT scanners
or NMR imagers out there that can determine the location of ink
molecules, providing the same winner/no-winner information ?"
CAT scanners also use X-rays to produce an image, so a card immune
to "peeping" by a conventional X-ray machine is very likely to be immune
to a CAT scanner as well. (All that is necessary for this is that the
inked area have the same absorption cross-section as the non-inked area.)
A similar comment applies to ultrasonic imaging techniques. NMR imaging
might reveal the hidden print, if the ink molecules are distinguishable
from those non-ink molecules around them. My (very casual) guess is
that using an area that's written in two shades of ink with slightly
differing formulations might defeat this approach; i.e. if both areas
consist of a substance with nearly the same chemical composition and
structure, they may be indistinguishable via NMR.
Rich Kulawiec
------------------------------
Date: 25 Jul 88 18:42:52 GMT
From: dartvax!eleazar!emilyb.UUCP@seismo.css.gov (Emily S. Bryant)
Subject: Wanted: Info on Ergonometrics
I am posting the following for a colleague; please send responses by mail to:
michael.whitman@dartmouth.edu or ...{decvax, ihnp4}!dartvax!michael.whitman
and NOT to me! Thanks. Emily Bryant.
WANTED: Information on how to set up a computer workstation's screen,
keyboard, and seating to minimize eyestrain and physical fatigue.
I am interested in any research results which pertain primarily to
eye- and backstrain, but am not looking for information on possible
effects of video display terminals on pregnant operators.
I am looking for recommendations on
1) Worker's height : chair in inches;
2) Distance from eyes to computer screen;
3) Angle from eye level to center of screen;
4) Height of keyboard above lap level;
Also,
5) Do higher screen resolution and refresh-rate reduce eyestrain?
6) Is it personal preference or documentable fact that black letters
on "white" background (Macintosh), green on black, amber on black, or
some other combination, are easier on daylong viewers' eyes?
8) What kind of ceiling fluorescent bulbs help reduce eyestrain?
9) What kind of chairs help minimize backstrain?
Finally, how about common sense suggestions in addition to these:
10) Workers should look away periodically from their screens and
focus on objects in the distance;
11) Use a screen font which is large enough to be read easily;
12) Use eyeglasses when computing for long hours, with a
prescription specifically for one's actual eye-to-screen distance.
I am researching a feature article for a publication at Dartmouth
College. Since I have been able to find no recent articles on this
except a NY Times 6/23/88 article, I hope suggestions for
information sources will be sent.
Michael Whitman
Dartmouth College
------------------------------
End of RISKS-FORUM Digest 7.28
************************
-------