20-Jul-87 22:55:00-PDT,10670;000000000000
Return-Path: <NEUMANN@f4.csl.sri.com>
Received: from csl.csl.sri.com (CSL.SRI.COM) by F4.CSL.SRI.COM with TCP; Mon 20 Jul 87 22:47:43-PDT
Received: from F4.CSL.SRI.COM by csl.csl.sri.com (3.2/4.16)
id AA10644 for RISKS-LIST@f4.csl.sri.com; Mon, 20 Jul 87 22:49:40 PDT
Message-Id: <8707210549.AA10644@csl.csl.sri.com>
Date: Mon 20 Jul 87 22:46:39-PDT
From: RISKS FORUM (Peter G. Neumann -- Coordinator) <RISKS@csl.sri.com>
Subject: RISKS DIGEST 5.13
Sender: NEUMANN@csl.sri.com
To: RISKS-LIST@csl.sri.com
RISKS-LIST: RISKS-FORUM Digest Monday, 20 July 1987 Volume 5 : Issue 13
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Re: Another computer-related prison escape (Alan J Rosenthal)
Credit card risks (David 'Witt' Wittenberg)
The latest in Do-It-Yourself manuals (Andrew Scott Beals)
Re: Robocop review (Eugene Miya)
Robocop and following instructions (Brian Gordon)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
FTP back issues Vol i Issue j from F4.CSL.SRI.COM:<RISKS>RISKS-i.j.
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).
----------------------------------------------------------------------
Date: Sat, 18 Jul 87 10:58:07 EDT
From: Alan J Rosenthal <flaps%csri.toronto.edu@RELAY.CS.NET>
To: csl.sri!RISKS%ai.toronto.edu@RELAY.CS.NET
Subject: Re: Another computer-related prison escape
Andrew Klossner:
> The alarm did go off, but little attention was paid to it because it
> goes off every day, ...
Something I've always felt strongly about in regard to this is fire
alarms. There are many buildings in which fire alarms are ignored as a
matter of course. I believe that in such a case having the fire alarms
is worse than not having them, for two reasons. One is if you are
trying to tell someone that there is a fire. You will pull the fire
alarm and leave the building. No one will listen. The other is if you
are trying to observe whether or not there is a fire. Someone tells
you that there is, but you tend to doubt them because their information
is probably from the fire alarm. At least, this could cause a delay of
minutes which can be crucial in a large building in a fire.
In an apartment building I lived in recently, one night at about 4am the
fire alarm went off. I blearily woke up, pulled on some clothes, and left
the building. Standing outside, I saw only two other people that felt as I
did. Everyone else was still inside. (I had only been living there for two
months at this time.)
Alan J Rosenthal
[If any of you wonder, "What has this to do with computers and related
systems?", the answer by now should be obvious... Alarms were ignored,
bypassed, misinterpreted, or otherwise mishandled in many cases such as
the Stark, Three Mile Island, Chernobyl, Therac 25... PGN]
------------------------------
Date: 17-Jul-1987 1134
From: wittenberg%ultra.DEC@decwrl.dec.com (David 'Witt' Wittenberg)
To: risks@csl.sri.com
Subject: Credit card risks
AT&T phone credit cards use a credit card number that consists (in most
cases) of your phone number followed by four (presumably somewhat random)
digits. If the last four digits are random, the probability of guessing a
number (assuming you know that a particular phone number has a card
associated with it) is .01%, which seems relatively safe.
The problem was that if your number was on a centrex where the main number
ended in 000 all the users of that centrex had numbers that consisted of the
main number followed by 4 digits (a different four digit code for each user
to provide accountability), so if the centrex had 500 users with credit card
numbers, a random 4 digit number appended to the centrex number had
a 5% chance of working. This made the expectation value of the number
of tries before finding a valid number 10!
This has been corrected, so that now the card number is an individual
number followed by the 4 random digits.
--David Wittenberg
------------------------------
Date: Sun 19 Jul 87 16:54:46-PDT
From: Andrew Scott Beals (well!bandy@lll-lcc.ARPA)
Subject: The latest in Do-It-Yourself manuals
To: RISKS@csl.sri.com
Three ads from the August issue of Computer Shopper:
CABLE and SUBSCRIPTION TV secret manual. Build your own DESCRAMBLERS,
converters. Instructions, schematics for: Sine Wave, Inband/Outband Gated
Sync Pulse, SSAVI methods (for HBO, Showtime, Cinemax, UHF, etc.) Send
$8.95 + $1 postage to CABLETRONICS Box 30502CS, Bethesda MD 20814.
COMPUTER UNDERGROUND. Hacking, Crashing, Pirating, and Phreaking. Who's
doing it, why they're doing it, and how they're doing it. Sample
programs, phone numbers, and the tools of the trade. Send $14.95 + $1
postage to CABLETRONICS Box 30502CS, Bethesda MD 20814.
HACKER'S HANDBOOK. Tells how to access remote computers, figure out
passwords, access codes, operating systems, modem protocols. Plug into
the electronic subculture; open up a world of new information. Send
$12.95 + $1 postage to CABLETRONICS, Box 30502CS, Bethesda MD 20814.
[This item is included here to illustrate an important point:
Knowledge on how to subvert system security is VERY WIDESPREAD.
Sticking one's head in the sand and assuming that everything is
OK is a certain way to court disaster. IMPORTANT SIDEBAR: RISKS
does not endorse unsavory behavior by crackers; however, RISKS
also does not endorse ostrich behavior by system purveyors. PGN]
------------------------------
Date: Fri, 17 Jul 87 10:40:16 PDT
From: Eugene Miya <eugene@ames-nas.arpa>
To: baldwin@cs.rochester.edu
Subject: Re: Robocop review
Cc: risks@csl.sri.com
Yes, I saw that segment as well. I think the scene derived its effect from the
"blame the computer" syndrome we have developed over the last couple of
decades. The effect is supposed to be based on 1) "we" have this new security
device, 2) to test it, would you hold this gun? [For those not seeing the
scene, this biped robot security device can identify guns held at it.] Stop.
Typical person (Everyman, who was the actor of this scene, there is a name
of this type of person in the Star Trek parlance) would say "No way." This
is what you have test pilots and drivers for. Machines have made us think
about them in less than positive ways. It's perfectly safe.
Now, for the viewer (you the reader of RISKS), do you think you would point
a gun at an armed security device? Now, do ya'? Do ya' feel luck.. punk?
We (computer people) would think this device would be tested to this point.
I'm certain the programmer characters in the film would have thought so too,
otherwise, why would the RISKS group exist?
The problem with computer systems is that we think we should try to put
common sense into them. I think this is wrong. Humans take common sense
for granted. It is a form of prejudice. Common sense is not logic. The
other extreme is "blind logic", which is portrayed as poor programming
(actually inconsiderate "exception handling"). Our problem is that we have
conflicting goals; the best written description was given by Nancy Leveson
in her Computing Survey article on Safety. One purpose of science is to
challenge the assumption of common sense as part of education/learning.
Remember that just over a century ago, it was `common sense' that certain
members of the human population were inferior on the basis of race.
Quantum mechanics arose in a different domain to change other `common sense'
ideas. In the end, it is all your point of view. I do plan to see this film
(as bad as it might be). S&E both gave thumbs up, but I don't trust them.
--eugene miya, NASA Ames
[1. `` `Common sense' is not very common.''
2. I have seen one scathing review and one rave
(qualified with "excessive violence").
The previews go right to the ``would you
trust this robot?'' scene... PGN]
------------------------------
Date: Sun, 19 Jul 87 08:26:23 PDT
From: Brian Gordon <gordon%cae780.cae.tek.com@RELAY.CS.NET>
To: RISKS@csl.sri.com
Subject: Robocop and following instructions (RISKS-5.12)
>From: baldwin@cs.rochester.edu
>"I think there's something basically funny about a machine ...
> blindly following instructions in the face of logic"
One of the scariest things I learned while teaching "Computer Appreciation"
(actually titled "Computers in Society") to non-technical types in the 70's
was how little college students knew about the "nature" of computers. On
every final there was a question of the general type, "What are the
implications of a machine that only does EXACTLY as it is told". The majority
of the answers were always about how bad it WOULD be if there WERE such
devices -- and remember, this was after they were told the question was
coming! It almost makes you want to take up plumbing.
FROM: Brian G. Gordon, CAE Systems Division of Tektronix, Inc.
UUCP: tektronix!cae780!gordon [or gordon@cae780.CAE.TEK.COM]
------------------------------
Date: Mon, 20 Jul 87 11:35:48 EDT
From: baldwin@cs.rochester.edu
To: baldwin@cs.rochester.edu, eugene@ames-nas.arpa
Subject: Re: Robocop review
Cc: risks@csl.sri.com
Right-on-target discussion (by Eugene Miya) of safety and risks in this
hypothetical situation, and the contrasts between what people intuitively
expect from "intelligent" machines and what they actually get. (The term
"intelligent machine" is a lasting disservice done to our discipline by the
press of the 1940's and '50's.) The point I want to make is that there
seems to be a large segment of society out there that doesn't think this is
a risk at all - it's just funny. That's the same society that somehow has to
make collective decisions about computer systems in nuclear power plants,
weapons, planes, and all the other things we've been discussing for
who-knows-how-long here.
------------------------------
End of RISKS-FORUM Digest
************************
-------