5-Aug-86 20:22:24-PDT,16215;000000000000 Mail-From: NEUMANN created at 5-Aug-86 20:20:29 Date: Tue 5 Aug 86 20:20:29-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.31 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Tuesday, 5 August 1986 Volume 3 : Issue 31 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Another cruise missile lands outside Eglin test range (Martin J. Moore) Aircraft simulators and risks (Gary Wemmerus) Re: Comment on Hartford Civic Roof Design (Brad Davis) Expert system to catch spies (RISKS-3.30) (Chris McDonald) Computer and Human Security (Henry Spencer) Ozone Reference (Eugene Miya) Financial risks (Robert Stroud) Mail Load Light(e)ning? (SRI-CSL Mail Daemon) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Received: from eglin-vax.ARPA [...] Tue 5 Aug 86 05:24:05-PDT Date: 0 0 00:00:00 CDT From: Subject: Another cruise missile lands outside Eglin test range To: "risks" An unarmed Tomahawk cruise missile malfunctioned and landed unexpectedly during a test launch at Eglin AFB last Saturday (8/2/86). The missile, launched from the battleship Iowa at 10:15 am CDT, flew successfully for 69 minutes before deploying its recovery parachute for reasons not yet determined. The missile made a soft landing in an uninhabited area 16 miles west of Monroeville, Alabama. No injuries or property damage were reported. The cause of the failure is not yet known. The missile, which suffered no apparent external damage, was recovered and returned to the General Dynamics works in San Diego for investigation. The missile was the second in four launches to land outside the 800-square-mile Eglin reservation. Last December 8, the first Tomahawk launched at Eglin landed near Freeport, Florida. The cause of that failure was a procedural problem which caused portions of the missile's flight control program to be erased during loading. Saturday's failure followed a successful Tomahawk launch on the previous day. A missile launched from the destroyer Conolly successfully flew a 500-mile zigzag course over southern Alabama and the Florida Panhandle before landing at the designated recovery point on the Eglin range. -- Martin J. Moore ------------------------------ To: Art Evans cc: Risks@csl.sri.com Subject: Re: Aircraft simulators and risks Date: Tue, 05 Aug 86 09:45:51 -0800 From: Gary Wemmerus I heard a story about the DC-10 crash at O'Hare in 1979 that might be the one you mentioned. After the crash, they programmed that sequence of events into the simulator and tried out pilots on it. Every one of the pilots that followed the correct procedures as listed in the MANUAL for that sequence of events CRASHED. The problem was that the sequence of events did not include loss of an engine, just loss of engine power, and did not take into account total loss of hydraulic power. I have heard that there are no instruments on the DC-10 that would tell a pilot that the engine was gone, just that there was no power from it. When pilots tried a different way or responding to the sequence of events, I believe that a successful landing was achieved 80% of the time. I think that there was no problem with the simulator, but there were two sets of events that led to one set of indicators to the pilot, and the manual listed the correct procedure for the other set of events. My guess is that they never expected the sequence that occurred and have now come up with a way to distinguish between the two events. -gfw PS. A lot of this is from second-hand sources, so I cannot totally vouch for its accuracy. ------------------------------ Date: Tue, 5 Aug 86 13:18:08 MDT From: b-davis@utah-cs.arpa (Brad Davis) To: RISKS@csl.sri.com Subject: Re: Comment on Hartford Civic Roof Design Along with the problems of wrong model is the problems with not testing at proper extremes or making bad assumptions. About 15 years ago a new shopping mall was being built in Salt Lake City. The engineers (and architects?) from California consulted their data books (or ran their CAD systems) and determined the amount of weight the building needed to support to make it through a desert winter. Even though Utah is a desert, we get 1 foot snowfalls in twelve-hour periods. The roof caved in at the first big snowfall of the season. Luckily the mall hadn't opened yet. They did fix it and the mall hasn't had any problems since. Brad Davis ------------------------------ Date: Tue, 5 Aug 86 7:31:33 MDT From: Chris McDonald SD Subject: Expert system to catch spies (RISKS-3.30) To: RISKS FORUM (Peter G. Neumann -- Coordinator) Larry Van Sickle asks the question "Is it doable?" regarding the use of an "expert system" to screen out or to identify potential espionage agents. From my sixteen years of experience in positions which require a security clearance and actually access to classified defense information, I conclude "NO!" The reason is that potentially millions of government as well as contractor employees have clearances with access to national defense information. I find it incredible to belive that any "expert system" could realistically factor in all the variables which might cause an individual to be recruited for espionage or to recruit him or herself for such activity. Second, while the news media has reported the apparent "greed" of the most recent batch of US citizens involved in espionage against their country, I would surmise that there were probably equally compelling personnel and philosophical reasons for their actions. Whenever there is an in-depth damage assessment of espionage cases "after the fact," it seems historically that there are many motivations at work. Third, if "disaffection" might be one of the causes of a successful espionage recruitment, then the problem is magnified by the very bureaucracy that employs individuals with security clearances. For example, there has not been a President or Executive Branch since 1970 which has not proposed that the Federal workforce is a collection of lazy, misfits who could not be employed anywhere else. There has never been a sustained call for "excellence" in the government on the assumption that this is a contradiction in terms. How could any "expert system" factor in cuts in salary, retirement and benefits without-- perhaps with some exaggeration-- potentially disqualifying the entire workforce. The defense contractor side of the house experiences the same sort of problems as it goes through one cycle after another in which today we build the B-1 bomber and the next day we shut down the line. Finally, although I do not have the benefit of reading the actually article which Larry mentions, it does appear that the so-called "former intelligence analyst" has confused the issues of "suitability" and "loyalty". Just because an individual has financial problems does not necessarily mean that he will spy against the US. While "suitability" factors may appear in actual espionage cases to have had some influence on "loyalty," they are usually never the sole reason. Indeed, if "greed" alone were a factor, why have so many people "sold" themselves so cheaply? ------------------------------ Date: Tue, 5 Aug 86 21:41:12 edt From: decwrl!decvax!LOCAL!utzoo!henry@ucbvax.Berkeley.EDU To: LOCAL!CSL.SRI.COM!RISKS Subject: Computer and Human Security Lindsay F. Marshall writes, in part: > I feel that there are significant differences between the quality of the two > sorts of security... there are many instances where computer > security seems very much more superficial than human security... The other side of this coin is that there are many instances where human security is very much more superficial than computer security. How many times have you been waved through a gate by a guard who knows you? Does he really consider the possibility that your pass might have been revoked yesterday? Yes, I know, they're supposed to always check, but it often doesn't work that way in practice. Especially if there is something else distracting them at the time. An electronic pass-checker box, on the other hand, does not get distracted and doesn't get to know you. Human security can be bribed, coerced, or tricked; these tactics generally don't work on computers. Their single-minded dedication to doing their job precisely correctly and ignoring everything else blinds them to "out-of-band" signs that subversion is taking place, but it also blinds them to "out-of-band" methods of subversion. The best approach is to combine the virtues of the two systems: use computers for mindless zero-defects jobs like checking credentials, and use humans to watch for improper use of credentials, attempts to bypass credential checking, and anomalies in general. One gray area is checking the match between credentials and credential-holders: this generally has to be done by humans unless the credentials are something like retinagrams. Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry ------------------------------ Date: Tue, 5 Aug 86 10:51:50 pdt From: eugene@AMES-NAS.ARPA (Eugene Miya) To: neumann@sri-csl.ARPA Subject: Ozone Reference ReSent-To: RISKS@CSL.SRI.COM I talked to one of our bio-geo-chemists. There is a popular article which he feels is a good introduction to the players of this research including good references: Nature, 321, June 19, 1986, pp. 729-730 To reiterate: all of the postings I have seen on Risks almost make this sound like either a conspiracy or foot dragging by the earth science community. Eight years is nothing in the span of research in the earth sciences. That was also the length of time involved in the Palmdale Bulge research which turned out to be erroneous. My contact, Greg, has seen papers suggesting natural mechanisms for ozone depletion in the Antarctic. There is insufficient money and time to research long-period phenomena. Note: this brings up the issue of fast developing trends with slow thinking scientific communities, but that is another issue. --eugene miya, NASA Ames [The AAAS Science article is on page 1602 of the 27 June 1986 issue. It points out the increasing depletion (now 50%) in the ozone layer for a short period in October compared with the 1979 norm. It does not deal with the reported software problem. PGN] ------------------------------ From: Robert Stroud Date: Tue, 5 Aug 86 16:17:45 bst To: risks@csl.sri.com Subject: Financial risks There was an item on the ITV News at Ten last night about the record 62-point fall of the Dow Jones Index about a month ago. Since it was on TV, I can't report it verbatim, but the gist was as follows: "Experts are convinced that the record fall was almost entirely due to the use of computer programs that automatically sell stock when certain conditions are triggered. [...stuff about the cash index falling below the futures index...] Whereas a fall of this magnitude would have been disastrous a few years ago, nowadays it hardly causes a hiccup. The big shareholders are quite capable of withstanding a swing of 40 points or more in a day, although the small investor suffers. Although computers are blamed for this sort of instability, they are also credited with keeping the market at its high level over the last 6 months. However, members of the public would be concerned if they were aware of the increasing use of technology, not just because of the problems of the small investor but also because decisions are now being taken based solely on movements within the market, without consideration of external economic factors." I also saw something in The Times suggesting that the fall was "aggravated" by the use of such programs a few days after the incident occurred - maybe ITV were reporting the result of an investigation into the causes. There has been a recent trend towards relaxing controls and regulations in the financial markets. There will shortly be what is known as the Big Bang in the UK and this has caused a great deal of activity in the City with companies that have traditionally performed separate functions being allowed to merge, and several giant financial organisations forming. There has been a lot of headhunting with astronomical (by British standards :-) salaries being offered, first for dealers but more recently for those with computing experience. Sophisticated computer systems are planned, and apart from just displaying information, I expect there will be more programs to buy and sell automatically. Another aspect of the mergers will be the need to establish what are called Chinese Walls within institutions to prevent the unethical use of confidential information. For example, one part of an institution may be giving financial advice to some company which another part of the same institution could use to speculate - the same institution would not have been allowed to perform both roles under the regulations before the Big Bang. The Chinese Wall problem is really a standard security problem with the computing system being divided up into multiple partitions between which information flow is not allowed. Human leakage is likely to be more of a problem. Increasing dependence on technology has obvious reliability implications, but I am more concerned about whether automatic trading is likely to have a destabilising influence. Modern telecommunication has made it possible to have a 24 hour world currency futures market in which vast sums (1 billion/day) are traded rapidly for minute gains. This is pure speculation, creating money out of nothing with no connection to the outside world, (unlike other futures markets which at least have some basis in reality providing a guaranteed market for some commodity). I feel that programs will be able to react too quickly for the wrong reasons with possibly disastrous consequences. Equally, they could create a false sense of security and an artificially inflated market by buying instead of selling. Although some of these concerns are political rather than technical, and I am in no sense a financial expert, I would appreciate a discussion of these issues and some information about the heuristics and safeguards built into these automatic trading programs. Robert Stroud, Computing Laboratory, University of Newcastle upon Tyne. ARPA robert%cheviot.newcastle@ucl-cs.ARPA UUCP ...!ukc!cheviot!robert JANET robert@newcastle.cheviot ------------------------------ Date: Tue 5 Aug 86 19:37:04-PDT From: The Mailer Daemon [Subject: Mail Load Light(e)ning?] Message undelivered after 14 days -- will try for another 1 day: RISKS@DOCKMASTER.ARPA: Cannot connect to host [The Dockmaster IMP was hit by lightning several weeks ago. It still has not recovered. The thundering of undelivered mail messages rains down upon me as my mailer merrily retries at intervals. PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------