RISKS-LIST: RISKS-FORUM Digest Thursday 16 March 1989 Volume 8 : Issue 39 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Solar flares vs. garage door openers (Steve Bellovin, Peter Scott) Sunspots and Power Lines (John Coughlin) Man-machine interfaces and perception-impaired people (David A. Honig) Re: reverse engineering of type fonts (Herman J. Woltring) Re: Ethics Question (Marc Mengel) Re: Toshiba DOS 3.3 Backup deletes files (Jay Elinsky) Re: IBM's claims to omnipotence (Dr Robert Frederking) Re: Pushbutton Banking (Tom Coradeschi) ---------------------------------------------------------------------- Date: Thu, 16 Mar 89 10:40:37 EST From: ulysses!smb@research.att.com Subject: Solar flares vs. garage door openers You write that the solar flares have been affecting garage door openers. Maybe not. According to a report on CBS News this morning, the FCC is aware of the problem, refuses to say what it is, but says it will clear up in about 6 weeks. When asked if it's a secret government project, they refuse to say. The transmissions are from the top of Mount Diablo, but the FCC [office in Livermore] refuses to identify the agency sending. They'll be transmitting through May 2. Quoth an FCC representative: ``We're not obligated to do anything'' because the openers operate on frequencies also used by the government, and the openers are ``unprotected devices''. His solution: switch to another frequency. I wonder what other equipment, besides garage door openers, is failing? And if they -- whoever ``they'' are -- even thought about the question first? Steve Bellovin [This report was also noted by Jan Wolitzky and Tim Garlick. Also, Michael Sclafani -- who had not heard it -- wondered how a solar flare problem could arise only in the Mt. Diablo area. PGN] ------------------------------ Date: Thu, 16 Mar 89 09:30:38 PST From: Peter Scott Subject: Re: Sunspots & Communications [...] I thought that g.d. openers operated in the microwave range; isn't this power level of transmission unhealthy? Peter Scott (pjs@grouch.jpl.nasa.gov) [Especially if you jack up the power. You need jacks or better to open. PGN] ------------------------------ Date: 16 Mar 89 12:19:00 EST From: John Coughlin Subject: Sunspots and Power Lines Earlier this week a massive blackout hit the province of Quebec, plunging about 6 million people into darkness. A substation on one of the main lines feeding electricity from the James Bay hydroelectric dams to the south of the province had shut down. The suspected reason: the recent intense solar activity. It took almost half a day to rectify (pun intended) the problem, because it was first necessary to identify which of several substations located in a remote area was at fault. John Coughlin, BULL Kingston (613) 541-6439 ------------------------------ Date: Thu, 16 Mar 89 12:36:00 -0800 From: "David A. Honig" Subject: man-machine interfaces and perception-impaired people In RISKS [ Wednesday 15 March 1989 Volume 8 : Issue 38 ] Ken Harrenstien writes, Think about color-coded displays. Touch displays. Mice. Voice-synthesized responses. And so on. None of these is suitable for everyone, but as long as a system is not limited to just one way of doing things, no one will be excluded. I sincerely hope that in the rush to automate everything, designers take advantage of the flexibility that computers give them to provide for as many alternatives as possible. The person who benefits will someday be you. --Ken The developers of advanced man-machine interfaces who wish to use stereooptical displays (so users can manipulate virtual 3-D objects) will have to contend with the fact that approximately 10% of the population has some form of stereodeficiency (usually caused by eye problems as an infant). Groups at NASA, MIT Media Lab, etc. have working prototypes, and it is common for CAD/CAM users to employ 3-D computer graphics. David Honig, Dept of Info & Comp Sci, Univ. of Calif., Irvine, Ca. 92717 ------------------------------ Date: Thu, 16 Mar 89 12:03 N From: Subject: Re: reverse engineering of type fonts (Herman J. Woltring) Mr Randell Neff's query in Risks Digest 8(37) of March 11, 1989 on the ethics and legality of investigating a commercial object and of recovering some of the basic information incorporated in such an object (type fonts information in his paradigm) seems to have a direct bearing on my own (too lengthy) contribution in Risks Digest 8(34) of March 2, 1989. The French proverb "C'est le ton qui fait la musique" (i.e., the way that you put your arguments will have a strong bearing on how your views are perceived and interpreted) may be relevant, as Mr Neff's statement seems to convey that the VorTex people were boasting about their success in avoiding payment of (too) much money. If this was indeed the case, no wonder that some people including Mr Neff became rather upset. Apart from such psychological factors, the legal and ethical aspects might be discussed as follows. I should state that I am neither a lawyer nor an ethicist, but just a computer architect interested in balancing Intellectual Property with Freedom of Information, considering the complementary nature of these aspects under Section 27 of the 1948 Universal Declaration of Human Rights and under Section 15 of the 1966 International Covenant on Economic, Social, and Cultural Rights. Under most legislation in competitive economies, investigating some commercial object by disassembling it for one's own purposes is perfectly ethical and legal. It is only once a direct-for-profit goal becomes the target, that patent law etc. impose certain constraints. Freedom of Information, especially in the USA with its Freedom of Information Act, is an important asset that should not be forgotten lightly. If disassembling a (purchased or borrowed) object for research on its functioning and properties is acceptable in a competitive context, why should it become inacceptable if done in a not-for-commercial-gain context? Mr Neff referred to trade secrets of the font information incorporated in Adobe's product, and this ties directly into the present, commercial drive to use copyright law for imposing trade secrecy on the fundamental know-how contained in a (software) object. However, trade secrets must be KEPT secret, e.g., by binding human persons in contract and by storing documents in strong vaults. It does not make sense to rely on legal connotations that "reverse engineering" of an object (whether hardware or software) are inappropriate and an intellectual burglar's instruments for "theft of know-how": research is allowed on the topography of hardware chips and under patent law (but licences may be imposed once the results of such research are to be exploited commercially); similar research should remain possible under copyright law. This obtains even more because of the automatic, virtually costless protection granted by copyright; patent law requires rather expensive, administrative procedures. As I am most familiar with the software aspects, I'd like to clarify things in the software area, although I do not know whether the VorTex/Adobe controversy is a hardware or a software issue. Higher computer languages exist in order to accomodate the cognitive capabilities of the human computer architect and programmer, and machine languages exist in view of the limitations of current hardware technology. The gap between these two is bridged by compilers and decompilers, and compilers have never been designed in order to impose secrecy of the know-how underlying a software package. Thus, decompilers are not automatically improper tools. Nevertheless, a number of creative legal experts consider it useful for their own purposes to declare decompiling and similar forms of analysis and research first an unethical, then a pirating, and finally an illegal activity. However, the mere fact that there is a new market for something (software used to be freeware!) does not automatically imply that existing tools and technologies should be reinterpreted as legal instruments. Such political interpretations should be judged in terms of the necessary balance between protection and freedom to copy, lest inappropriate monopolies (and similar advantages) are generated or no protection is provided at all. For example, the "Green Paper on Copyright and the Challenge of Technology" published by the Commission of the European Community last summer makes specific reference to the information industry's need that reverse engineering should be allowed lest competition would be stultified: in each competitive situation, we may copy relevant aspects from our competitors (not slavishly, but creatively, by building on those predecessors' work), and this should certainly remain pos- sible. Balance and counterbalance must, of course, be provided, and the copyright doctrine that only form or expression, but not basic ideas or contents are to be protected, is one of the tools for that purpose. In my mind, this means that a legal "fair use / fair dealing" exemption for research, review, and criticism of a protected object should be maintained, but that unfair uses should be outlawed. (The national motto "Je Maintiendrai" of the Kingdom of The Netherlands may be of some relevance, here.) Case law under the Anglo-American Copyright system has been perfectly capable to interpret the extent of (un)fair behaviour, whether commercial or consumptive. The non-competitive VorTex case seems quite within the range of what is called "Fair Use" under Section 107 of the US Copyright Act. In fact, Mr Neff did not clarify his claim that the VorTex activity with respect to Adobe was "certainly not research", as VorTex seemed concerned with saving money for research purposes; rather, the VorTex group might deserve to be congratulated with saving the Californian and other taxpayers' money? After all, the VorTex group did not slavishly copy a protected object for its own, routine use, but analyzed it and then built its own version instead. The similarity to industrial 'clean room' procedures where (computer) architects analyze an object and provide their findings to an independent, 'clean' team of programmers or hardware engineers may be obvious. As regards copyright protection of digital encoding of fonts, I doubt that this does not exist in the USA. Certainly, the 1988 Copyright, Designs and Patents Act in the U.K. provides for specific Copyright protection of typefaces and print lay-outs. Much more serious is the possibility that the VorTex group (if Fair Use under Section 107 USC Copyright Act should not apply) might invoke the 11th Amendment to the US Constitution which grants individual States (including State instrumentalities like the University of California at Berkeley) immunity against copyright damage claims under the federal Copyright Act: see the paper "An Open Letter on Piracy" in Software Magazine 8(3) of March 1988, republished in ACM's Computers and Society 18(3) of July 1988, also referred to in my Risks posting of March 2, 1989 quoted above. Finally, I hope that Mr Neff has communicated his feelings to the UCB professor of whom he was so critical, and that a reaction may appear from him on this forum; I hope that such a communication took place prior to Mr Neff's going public on this issue. Herman J. Woltring Member, Study Committee on Software and Semiconductor Topography Protection, Netherlands Association for Computers and Law Disclaimer: There is an interesting book (in Dutch, unfortunately) published in 1986 in The Hague/NL by the Netherlands Order of Patents Attorneys at the occasion of their Order's 50th Anniversary. It was written by F. Gerzon, and entitled "The Netherlands: are we a people of highwaymen? The re-enactment of the Dutch Patents Act (1869-1912)". ------------------------------ Date: Mon, 13 Mar 89 23:59:59 -0800 From: att!cuuxb!mmengel@ucbvax.Berkeley.EDU Subject: Re: Ethics Question (Randall Neff, RISKS-8.37) >Is this ethically correct? Copyrights and intellectual property are a very sticky issue... especially in a case like this. Consider: Adobe's *internal coding* of the fonts is considered a trade secret, and that trade secret has *not* been abridged by digitising the display of the font. The display of the font was performed by the group's equipment, and with electricity for which they paid... If I buy a machine that makes pretzels, may I not sell the pretzels? Lets say I write a book, printed with Adobe's fonts -- can I sell copies of the book? Or must I purhcase the font from Adobe for large sums of money? >Is it all right to acquire a company's product by clever coding? Clearly not, if you mean breaking some form of computer security to obtain copies of the software, etc. On the other hand, to build your own product that acts like another company's is quite the proper thing to do. Just ask Suave shampoo. ("Ours does what theirs does...") Or your local pharmacist who makes generic versions of common brand name pharmaceuticals. It is the latter course that the CS department has followed, in my opinion. >Is it reasonable behavior for a Famous CS department funded by California > taxpayers and NSF grants (it is certainly not research)? I find your assertion questionable -- after all, universities design operating systems, and aren't there operating systems being sold by companies? Don't features of those operating systems get put into these research systems by "clever coding?" If you want to, you can make any research implementation of anything which has been previously built in industry sound like some sort of copyright violation; just say that the products do similar things, and the students managed to "reproduce" the package with "clever coding"... Never mind if the researchers happen to stumble upon a signifiganly improved method of getting the job done, or learn something usefull about software engineering... >Is there a reasonable way for an audience member to stand up and say: > "For Shame, this is ethically reprehensible behavior and you're setting > a bad example for students everywhere." Not unless you can first demonstrate that the behaviour is morally reprehensible. When you can do that, you need merely ask a few pointed questions of the presenters, and the conclusion will be obvious to the other listeners. However, from the way you describe it, they wrote their own implementation of Postscript, a programming language in its own right, with their own code for displaying fonts, etc. and then wrote a program that could digitize characters which were to be displayed on their printer, and could digitize *any* font displayed on that printer, even one they might have done by hand; they then used this tool to digitize a font they had purchased the right to reproduce in its displayed form (It would be ludicrous to suggest they need an incredibly expensive liscence just to make photocopies of documents printed on their printer, for example). They rewrote Postscript, and digitized some fonts for its use. They could just as easily have run the New York Times through a scanner and picked the letters from it, or typed the alphabet on their typewriter and scanned it in with a digitizer. The typewriter company sells those printwheels for the typewriter; but have our proponents done anything ethically abhorrent? I don't think so. Marc Mengel ------------------------------ Date: Thu, 16 Mar 89 08:56:31 EST From: "Jay Elinsky" Subject: Re: Toshiba DOS 3.3 Backup deletes files Stephen Farrell writes >the moral seems to be that you should sometimes make a backup before making a >backup! It's "standard practice" to keep at least two sets of backups. Call one set of diskettes A, and the other B. This week write your backups on set A. Next week write them on set B, and then back to set A, etc. If your machine dies in the middle of writing on set B, you have some hope of restoring from set A (the backup you took a week ago). The UNIX manual page dump(8) tells about a hierarchial dumping scheme in which you keep some backups forever. Jay Elinsky, IBM T.J. Watson Research Center, Yorktown Heights, NY ------------------------------ Date: Mon, 13 Mar 89 14:49:16 -0100 From: ref@ztivax.siemens.com (Dr Robert Frederking) Subject: Re: IBM's claims to omnipotence (RISKS-8.32) (1) Why these things always go IBM's way in the press: IBM probably has more PR people than most companies have programmers. (2) My biggest complaint about an article like this is that apparently no one, including the reporter and the poster to this list, remembers that the first(?) launch had to be rescheduled because of a complete computer system failure in the flight-control computers! This, in a "bug-free" system. It turned out that there was a 1-in-64 chance (really!) of the system not synchronizing on start-up. Once it hit the bad combination, it had to be reset before it would correctly synchronize. This wasn't discovered in testing because they were too busy testing software in the individual machines to keep cold-starting the whole system. The whole thing had been started from scratch less than 10 times. Robert Frederking, Siemens AG/ZFE F2 INF 23, Otto-Hahn-Ring 6, D-8000 Munich 83 West Germany Phone: (-89) 636 47129 ------------------------------ Date: Thu, 16 Mar 89 18:27:21 EST From: Tom Coradeschi Subject: Re: Pushbutton Banking In a similar vein, the credit union here, at ARDEC has a system much like that you've described. It is somewhat safer, however. The ID number you use is your choice, not something nominally available to the public, like your SSN. It is not possible to transfer funds OUT of checking, to savings or elsewhere. It is possible to transfer funds into checking, but that's what you want to do, anyway. The only possible means of screwing someone over, I can think of, would be to locate both his account number and ID number, and make a withdrawal. However, the method of withdrawal the credit union uses is to mail a check to the address of record for the account. And there is no way to change your address using the phone. That requires an in-person visit, with account identification. If you've got that, why bother using the phone, when you can walk up to a teller window and clean out the account? I'm sure that there are some bugs in this system as implemented, and someone who was really trying could find them, but they certainly aren't as readily apparent as those described earlier. tom c Electromagnetic Armament Technology Branch, US Army Armament Research, Development and Engineering Center, Picatinny Arsenal, NJ 07806-5000 ------------------------------ End of RISKS-FORUM Digest 8.39 ************************ -------