University of Bielefeld - Faculty of technology | |
---|---|
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D. |
|
Back to Abstracts of References and Incidents | Back to Root |
This page was copied from: http://catless.ncl.ac.uk/Risks/16.15.html |
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
ABC's Nightline programs on June 9 & 10 focussed on invasions of privacy that are facilitated by computers and other electronic media. The program mainly covered things that we are familiar with but performed a valuable service, I believe, by bringing some important privacy issues to the attention of the general public in a fairly clear and direct way. The program began with Ted Koppel presenting results of a public opinion poll on two questions: Is the sale of records to mail order companies an invasion of privacy? YES - 73% NO - 27% Are you concerned about threats to your privacy? YES - 85% NO - 15% Koppel went on to assert that the amount of personal information that is available online is currently quadrupling each year. An interview followed with an information broker named Al Schweitzer, who they mentioned is currently on probation for bribery in connection with information gathering. They gave him names and social security numbers of a couple of people and he showed that in less than 24 hours he could get a great deal of information about them from legal sources, including their residential addresses going back a number of years, the amounts of all outstanding loans and credit card debts and terms of a divorce settlement. Schweitzer could not resist mentioning that he could get additional information, including detailed phone bills and lists of credit card purchases through illicit but readily accessible channels and could get the person's income through another such channel at a cost of $50. He showed a list of kinds of information, both legal and illegal, that are available and the schedule of fees for these services. There was a discussion of the fact that state and local governments sell a great deal of information to direct marketers, including voter registration, property owners lists, court records, and (in many states) motor vehicle and drivers license registrations. These agencies derive a great deal of income from selling this information, which has assisted direct marketers to keep track of 80 million Americans. Thus they have a mutually beneficial relationship, arguably at the expense of the public. It was mentioned that Barbara Boxer's bill, which has passed the U.S. Senate, would restrict dissemination of information by all state departments of motor vehicles. They interviewed a "reformed hacker" named Ian Murphy who is now a security consultant. Murphy pointed out that all calls to 800 or 900 numbers make the caller's phone number available and that with a computer and an available database this can be mapped into the subscriber's name and address. He also discussed how it was possible to intercept a telephone conversation from a specific cellular phone. He noted that this is illegal but that it is almost impossible to catch anyone who does it. He concluded that "Laws can't keep up with technology." In a discussion of the Clipper Chip there was a short interview with John Perry Barlow in which he remarked that with it "The government can sit in your living room and hear everything you say." A woman from Houston, Texas, named Carol Gibbs told her horror story about having her credit usurped by another person and the fact that it has taken her two years to get her life back together. It was pointed out that even though it is now illegal to sell video rental records, it is perfectly legal to sell personal medical records! The second program concluded with a discussion between Koppel, Schweitzer, Sally Katzen of the "Clinton Privacy Group" and Representative Ed Markey, who discussed his proposed "Privacy Bill of Rights." Markey said that this bill would impose two requirements: (1) That individuals must be given knowledge that information is being gathered about them electronically; (2) Individuals must be given notice when information that has been gathered is proposed to for a use other than the one for which it was gathered. Katzen mentioned that it has been over 20 years since the Code of Fair Information Practices was developed and that technology has changed substantially: in 1973-74 most records were paper-based but computer-based records now dominate. She asserted that the law has to catch up. In parting it was mentioned that a representative of one of the "big three" credit information houses had originally agreed to participate in the discussion but decided not to come after learning who else would be there. -Les Earnest
This is a Risk only fans of The Simpsons will appreciate: (Paraphrased from New Haven Register Sunday, June 12, 1994 [With my comments!]) Northeast Utilities reported that it had failed to follow proper safety procedures on 2 occasions in April at its Millstone 2 plant in Waterford. On April 23, an indicator showed that some of the control rods were stuck. The crew concluded that the problem must have been with the indicator and left for the day. When the new crew arrived, they discovered the rods were indeed stuck but failed to shutdown the reactor as quickly as they should have and underclassified the seriousness of the event. [See stdrisks.h sections on incredulous operators ignoring unexpected warnings. Also see section on It's Not MY Problem/It's Miller Time (After a HOT day at work, everyone's _dying_ to get home)] After the incident, some of the plant's operators failed a Northeast Utilities test on reactor theory and were removed from duty for training. The utility's report blamed the problem in part on the operators' failure to understand reactor theory and a failure of plant management to "fully appreciate the implications" of the safety-related event and to provide sufficient oversight. [sound clip of Homer: Dough!] [sound clip of Mr. Burns: Excellent...] The other incident involved a coolant leak from the plant's reactor. In this case, the operators again underclassified the seriousness of the event. Notification of federal authorities was delayed by 16 hours. [Guess they were just letting off a little steam after failing their tests...] [sound clip of Bart: Aye Carumba!] Jeffrey Sorensen sorenjs@pb.com
Subject: "Computer Ethics" by Deborah Johnson BKCMPETH.RVW 940322 Prentice Hall 113 Sylvan Avenue Englewood Cliffs, NJ 07632 (515) 284-6751 FAX (515) 284-2607 phyllis@prenhall.com 70621.2737@CompuServe.COM Alan Apt Beth Mullen-Hespe beth_hespe@prenhall.com "Computer Ethics", Johnson, 1994, 0-13-290339-3 Unlike the famous quote about life in the state of nature being nasty, dull, brutish and short, Johnson's examination of the state of ethics in computing is readable, interesting, discerning--and short. Unlike the usual treatment of ethics as proof by exhaustion, Johnson does a complete and reasonable job. Without recourse to mounds of collected work (of dubious merit), the major points of professionalism, property rights, privacy, crime, and responsibility are addressed. Even in this brief space, ethics are studied more rigorously than in more weighty tomes. Not content with the usual reliance on relativism and utilitarianism, Johnson points out the flaws in each. "Complete" is, I suppose, an overstatement. Although it is difficult to imagine a scenario that the book does not touch upon at some point, ultimately this book is a good primer and discussion starter. Although possibly the definitive work in the field to date, it does not, in the final analysis, get us much closer to a computer ethic. Recommended. Should be required reading for all computer science students. Exposure wouldn't hurt any number of professionals and executives, either. copyright Robert M. Slade, 1994 BKCMPETH.RVW 940322 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 BCVAXLUG ConVAXtion, Vancouver, BC, Oct. 13 & 14, 1994 contact vernc@decus.ca
I had always hoped the Chunnel would allow auto traffic, with HOV restrictions, thus enabling the dreaded "Carpool Tunnel Syndrome". ...phsiii
Phil> 1) Boeing sell similar automation to the A320 - they also caused Phil> the second- worst Japanese crash and in this case much more Phil> directly (the fuselage broke). Not true--Boeing does not have any fly-by-wire aircraft in operational status. They have flown precisely ONE fly-by-wire aircraft, the prototype 777. And it made its first flight last week. Phil> 2) whether you se sidestick or yoke, a modern airliner has no Phil> direct "cables" to the rudders - it relies on multiple links Phil> either electrical or hydraulic which would work equally well Phil> with sidesticks. A300s have been around for 20 years - this was an A320. Not entirely true, as the Douglas DC-11 and DC-12 have cables that run from the pilot controls (yoke and rudder) all the way back to the wing and tail, for ailerons or elevators and rudders respectively. The control surfaces are hydraulically actuated, it's true, but most of the control run is cables. I think that the 747 also has similar cables. Phil> 5) Since several A320s have crashed when silly things have been Phil> happening, perhaps the automation, like the "watertight" hull of Phil> the Titanic, is creating a too-complacent pilot. As a Phil> far-too-complacent pilot myself in the past, I can understand this. Well, no doubt, but wasn't this accident a 300, not a 320? The 300 has a conventional FCS, not fly-by-wire. Just because they both start with 3's doesn't make them the same aircraft. That's like saying that an A-10 and a KC-10 are identical because they both have 10 in the designator. Mary Shafer SR-71 Chief Engineer NASA Dryden Flight Research Center, Edwards, CA shafer@ferhino.dfrf.nasa.gov
>His speculation on the A320, that Airbus were forced to use modes >because they chose a sidestick design, is incorrect. Fly-by-wire >aircraft use modes because they have to. This is not true. Early FBW aircraft were essentially open-loop analog systems. They were reactive, very simple, providing very simple feedback and control loops. They were not anywhere near as modal as modern systems. Keep in mind that Airbus' position is that fly-by-wire systems have to provide a supermarket of user features. In reality, the primary operational benefit is to be simplicity and weight savings. What a manufacturer does from that point onwards is totally arbitrary and subject to market forces. The Airbus design has long struck me as a being in support of an interface which, in turn, was probably the result of a marketing decision. Certainly, the decision to use sidesticks--which provide no active feedback, and which are not interlinked--ran contrary to the preferences of many pilots. The lack of said characteristics has resulted in more modes (and the necessity of protections) and a variety of rather impressive kludges (such as the "take-over" arrows which point to the other pilot when he pushes his "take- over" button). From what I've read of the Boeing 777 design, it's much less modal than the Airbus design, providing unified and conventional flight characteristics from takeoff roll through landing roll. >A further comment about the Nagoya accident is appropriate. Current >knowledge is that the pilots failed to follow normal, explicit >procedure for control of the aircraft, Really? I've not seen that anywhere. "Explicit" suggests that the systems' characteristics were clear and well-understood. Such is not the case here. In fact, given that Airbus control philosophies tend to be rather subtle in their feedback and invocation procedures, I'd certainly not suggest that "pilot error" was a likely or trivial error in this case, at least not at this point. >and secondly that they had both >been drinking alcohol, which is illegal for good reason. This has also not been substantiated. The investigators will not comment, and it is not clear whether the presence of alcohol in the corpses was a result of ingestion or decomposition of tissues. In any event, the *presence* of alcohol is not illegal. The illegality is determined by the *amount* of alcohol present. >senior management of China Airlines has resigned because of this accident. Because of the fifth major accident in as many years, was the way I understood it. And Phil Overy RAL <PJO@ib.rl.ac.uk> writes: > re: Mark Terribile's posting:- > 1) Boeing sell similar automation to the A320 - they also caused the second- > worst Japanese crash and in this case much more directly (the fuselage broke). I do not understand this paragraph. To the naive reader, it could appear that you're claiming a Boeing automation issue was responsible for the struc- tural failure of an airplane. This is clearly false. Nor was the JAL crash the simple result of structural failure: it was primarily the result of a faulty repair, which destroyed the tail, taking the airplane's hydraulic systems along with it. Moreover, Boeing automation is significantly different from AI automation, from the ground up. The 777 flight control system (assuming you're referring to flight control systems) uses a different machine architecture and has a fundamentally different mission requirement, governed by the use of a different interface. If you're referring to more conventional functions, such as cockpit auto- mation and the navigation systems, again, Boeing philosophy is demonstrably different from Airbus philosophy. It's debatable whether either is "better," but to even a casual observer, they are sufficiently different to cause at least a few customers to scratch their heads when it comes to running fleets with airplanes from multiple vendors. In many cases, the differences are not trivial. > 2) whether you use sidestick or yoke, a modern airliner has no direct > "cables" to the rudders - it relies on multiple links either electrical or > hydraulic which would work equally well with sidesticks. In point of fact, the hydraulic actuators are controlled via cables. And in a few airplanes (727, DC-9 derivatives) the pilots still retain aircraft control via control tabs in the event of complete hydraulic failure. > 4) as for mode-switching and elevators etc - the senior pilot seems to have > tried to recover without switching off the auto-pilot, the junior pilot seems > to have flown as if the auto-pilot wasn't on. Reports will not say this as > it's a conclusion, not a fact - it does however sound like the explanation. And reports also claim a 15-year-old boy crashed an A310-600 when he nudged against the control column. Hmm. I wonder why two airline pilots couldn't figure THAT one out. Robert Dorsett rdd@netcom.com
After a mail from Peter Ladkin I am now sure of my ground and wish to write what I wanted to write in the first place - despite your correspondent (and a newspaper report I unfortunately used to check my memory, not my Independent or Peter Ladkin's Herald Tribune which got it right), the worst crash in Japan was AN A300 (ie an "old", un-computerised type NOT with sidesticks). The Taiwanese plane did not crash after any kind of automation or airframe failure, but when the auto-pilot was left on until too late. Peter Ladkin tells me that the president of the airline resigned after the crash, so it doesn't sound as if they are trying to transfer responsibility to the manufacturers. The crash at Nagoya was not like Japan's second-worst disaster when a Super 747 (high-altitude model) crashed when the pressure bulkhead at the rear collapsed; on that occasion the makers were Boeing, however I leave accusations to lawyers -- there are plenty of these around and I may have flown on one (and lived :-) ). [lawyers?] I could have phrased it better, but I would point out that Boeing also now use fly-by-wire (on the brand new 777), so the earlier correspondent was misguided in thinking that Boeing were staying away from fly-by-wire. The 777 is also a much bigger plane than the A320... Phil Overy
The average persons response to all of the A3?? technical discussion would probably be that it frankly it does not matter why these planes crash!. To me, if we play only on the statistics, I want a airplane with a good safety record. Already, Airbus Industry has lost more planes per delivered plane than other major aircraft manufacturer in the past 3 decades (Lockheed, Boeing, MD). To the average person, who for example reads in Consumer Reports that XYZ product can burst into flames after extended use, does not care why!. The same is true for airline equipment. It is also reassuring to note that some committee decided (or individual) decided that an A320 does not think it has landed until the wheels spin up to something like 90 kts. How reassuring to think that all of the possible consequences of this decision have been carefully thought out and that a full fault-effect analysis has been performed. Wesley K. Kaplow, AT&T Bell Laboratories, Rensselaer Polytechnic Institute kaplow@att.com kaploww@cs.rpi.edu
Andy Cunningham mentions some possible risks of over-zealous speed enforcement, with (presumably) a radar gun linked to a video camera and some automatic licence-plate recognition software. Such a system was until last year under test in New Jersey. A law was then passed banning it after it was found that there was no way to let people off after they had been ticketed, so that politicians, off-duty police officers and other members of the nomenklatura would then have to conform to the same rules of the road as the rest of the populace. I guess the risk here is that of trying to apply rules to people they obviously weren't meant for! Designers take note - you always have to leave *some* way to circumvent the system :-) I should note that in the U.S. speeding tickets are frequently (many would say primarily) used to generate revenue, rather than for any considerations of safety or traffic management. On the other hand, I understand that photo-radar systems work in the infra-red. This is preferable to an experience I had some years ago while driving late at night at high speed on an autoroute in Belgium - I drove under a bridge and was dazzled by a *powerful* flash going off behind me. Now there's an unexpected risk of driving too fast... Jonathan
> ...actually send out tickets (camera/radar systems which produce photographic I don't think this is a likely problem. The current camera/radar systems don't work like that. The radar is used to detect likely speeders, and then the camera takes two pictures a known time apart; the position of the car in each is used to determine whether the car was speeding. Clive D.W. Feather, Santa Cruz Operation, Croxley Centre, Hatters Lane, Watford WD1 8YN, United Kingdom clive@sco.com Phone: +44 923 816 344
The UK is not alone in their lack of voting security. In Canada, as "proof of identification" all we had to do to identify ourselves at the registration station was to bring an envelope mailed to our address (with our name on it) with a second piece of identification. Sounds straightforward... The people are nice and accommodating too: A roommate of mine couldn't make it to the registration, so we were able to register for him *very* easily. Given the (lack of) care being put into actually checking the identification (to test this, I deliberately didn't show them the address on my envelope, I merely waved it at him, and that was sufficient) literally anyone could have registered to vote. The registration process was optimized for speed (we had to wait 30-40 mins) and for friendliness, (they were very willing to accept my word at face value) but no REAL effort was made to authenticate the participants. Doug Tooley 4C Co-Op CS/C&O student at U of Waterloo, Ontario, Canada djtooley@undergrad.math.uwaterloo.ca
In the two towns I've lived in here in Massachusetts, they have a similar voting system to that mentioned in England, except that no voter card is required. They ask for a street address and a house number, but anyone who can read upside down could simply pick a name out of a hat. The risks to the would-be fraudulent voter is that even in our relatively large town of 25,000 people there is a decent chance that the person behind the counter knows the person you are naming, or that the person will later attempt to vote and uncover the fraud (not that there's much that could be done about it at that point). The news media, in covering questionable elections around the world, often speak of "massive election fraud". It seems to me that since massive fraud is really the only kind that has any predictable benefit, spoofing the blue-haired volunteers behind the desk is not really all that much of a worry. [Similar comment regarding Mass. from Andrew_Marc_Greene@frankston.com .]
This is not uncommon - I did exactly the same thing. Admittedly there is a RISK, but you also have to consider cultural factors. Accusations of ballot-rigging in UK elections are rare. If someone picked an address at random and voted as a resident there, as suggested, then there would be major investigations & lots of publicity when the real voter turned up with a valid poll card. Yet this does not happen. There is no culture of ballot-rigging in the UK (except long ago in Northern Ireland, but that was done a different way). John C Sager B67 G18, BT Labs, Martlesham Heath, IPSWICH IP5 7RE England jcs@zoo.bt.co.uk +44 473 642623
> Question: Should the UK update its voting system? Answer: No. Actually, at least, in Northern Ireland, the election procedure has been tightened: because there is a real, as opposed to theoretical, problem with impersonation (vote early, vote often) they insist that you now have to have some form of ID with you (or at least did, I haven't voted there for some years, but I don't imagine that it has changed). Traditionally, polling stations in Britain have someone local who is familar with the people of the area, a doctor or vicar or something, around as an informal check for impersonation (this would probably work better in rural, than urban areas though). I don't think there is much of a problem really, with the UK procedure. If they need to be careful (like in NI) they can make things much better, just by always asking for ID, or to see the registration card. But since they don't actually need to at the moment, why bother. After all, a problem with voter impersonation would be obvious if it happened on any sort of scale and if it does happen there are separate procedures for dealing with it. There is the risk here of fixing something that is not obviously broken, by assuming a purely theoretical worst case. Sean Matthews <sean@mpi-sb.mpg.de> Max-Planck-Institut fuer Informatik Im Stadtwald, D-66123 Saarbruecken, Germany +49 681 302 5363 [Further similar comments from Peter Robinson <Peter.Robinson@cl.cam.ac.uk>] Date: Tue, 14 Jun 94 11:33:31 BST From: grayjw <grayjw@helios.aston.ac.uk> Subject: Re: Risks in UK Election Voting Process (Rushton, RISKS 16-14) Thomas Rushton is correct to identify this problem (of getting names from the electoral roll. There are two points to make. 1) You don't need ID to vote in the UK. Instead you must satisfactorily answer two "statutory questions" having given the name and address: a) Are you XY, resident at (address) (yes) b) Have you already voted in this election (no) 2) The problem is worst in the case where the "real" turnout is low, because it would be possible, in disguise, to vote several times under different names. However, in a high turnout election, it's more likely that the person whose ID you have used will turn up to vote. They are *not* denied a vote. If you turn up at the polling station, and give your name, and it's already marked on the register, then you will be asked the questions, and given a different colour of ballot paper, which you complete in the same way. If the final result is close enough for these papers to matter, then the election may have to be resolved in court. I agree that for low-turnout elections there is a problem with the system. This strikes me as a common risk in any democratic system: if you don't use your influence, someone else will. John Gray
This page was copied from: | http://catless.ncl.ac.uk/Risks/16.15.html |
COPY! | |
COPY! |
by Michael Blume |