References

[1] M.D. Abrams, E. Amoroso, L.J. LaPadula, T.F. Lunt, and J.N. Williams. Report of an integrity working group. Technical report, Mitre Corp. (Abrams), McLean, Virginia, November 1991.

[2] J.P Alstad, C.M. Brophy, T.C. Vickers Benzel, M.M. Bernstein, and R.J. Feiertag. The role of “System Build” in trusted embedded systems. In Proceedings of the Thirteenth National Computer Security Conference, pages 172-181, Washington, D.C., October 1-4, 1990. NIST/NCSC.

[3] T. Anderson and P.A. Lee. Fault-Tolerance: Principles and Practice. Prentice Hall International, Englewood Cliffs, New Jersey, 1981.

[4] I. Asimov. Runaround. Astounding Science Fiction, April 1941. Also anthologized in I, Robot and The Complete Robot.

[5] I. Asimov. Forward the Foundation. Doubleday, New York, 1993. Also Bantam paperback, 1994.

[6] M. Asseline. Le pilote—est-il coupable? (The Pilot: Is He to Blame?). Edition #1 (4, rue Galleria, 75116 Paris), 1992.

[7] M. Baker and J.K. Ousterhout. Availability in the Sprite distributed file system. ACM SIGOPS Operating System Review, 25(2):95-98, April 1991.

[8] U. Beck. Risk Society: Towards a New Modernity. Sage Publications, Beverly Hills, California, 1992.

[9] K.J. Biba. Integrity considerations for secure computer systems. Technical Report MTR 3153, The Mitre Corporation, Bedford, Massachusetts, June 1975. Also available from USAF Electronic Systems Division, Bedford, Massachusetts, as ESD-TR-76-372, April 1977.

[10] M. Blaze. Protocol failure in the escrowed encryption standard. AT&T Bell Laboratories, June 3, 1994.

[11] K.P. Birman and T.A. Joseph. Reliable communication in the presence of failures. ACM Transactions on Computer Systems, 5(1):47-76, February 1987.

[12] B. BloomBecker. Spectacular Computer Crimes: What They Are and How They Cost American Business Half a Billion Dollars a Year. Dow Jones-Irwin, New York, 1990.

[13] W.E. Boebert and R.Y. Kain. A practical alternative to hierarchical integrity policies. In Proceedings of the Eighth DoD/NBS Computer Security Initiative Conference, Gaithersburg, Maryland, October 1-3, 1985.

[14] B. Boehm. Tutorial: Software Risk Management. IEEE Computer Society Press, Piscataway, New Jersey, 1989.

[15] N.S. Borenstein. Programming As If People Mattered: Friendly Programs, Software Engineering, and Other Noble Delusions. Princeton University Press, Princeton, New Jersey, 1991.

[16] S.S. Brilliant, J.C. Knight, and N.G. Leveson. Analysis of faults in an n-version software experiment. IEEE Transactions on Software Engineering, 16(2):238-247, February 1990.

[17] F.P. Brooks. The Mythical Man-Month: Essays on Software Engineering. Addison-Wesley, Reading, Massachusetts, 1975.

[18] J.E. Brunelle and D.E. Eckhardt, Jr. Fault-tolerant software: An experiment with the SIFT operating system. In Proceedings of the Fifth AIAA Computers in Aerospace Conference, pages 355-360, 1985.

[19] R.W. Butler, D.L. Palumbo, and S.C. Johnson. Application of a clock synchronization validation methodology to the SIFT computer system. In Digest of Papers, Fault-Tolerant Computing Symposium 15, pages 194-199, Ann Arbor, Michigan, June 1985. IEEE Computer Society.

[20] Canadian Trusted Computer Product Evaluation Criteria. Canadian Systems Security Centre, Communications Security Establishment, Government of Canada. Draft Version 3.0e, April 1992.

[21] S.M. Casey. Set Phasers on Stun, and Other True Tales of Design Technology and Human Error. Aegean Publishing Company, Santa Barbara, California, 1993.

[22] R.N. Charette. Software Engineering Risk Analysis and Management. McGraw-Hill, New York, 1989.

[23] R.N. Charette. Application Strategies for Risk Analysis. McGraw-Hill, New York, 1990.

[24] W.R. Cheswick and S.M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, Massachusetts, 1994.

[25] D.D. Clark and D.R. Wilson. A comparison of commercial and military computer security policies. In Proceedings of the 1987 Symposium on Security and Privacy, pages 184-194, Oakland, California, April 1987. IEEE Computer Society.

[26] D.D. Clark et al. Computers at Risk: Safe Computing in the Information Age. National Research Council, National Academy Press, 2101 Constitution Ave., Washington, D.C. 20418, December 5, 1990. Final report of the System Security Study Committee.

[27] F. Cohen. Computer viruses. In Seventh DoD/NBS Computer Security Initiative Conference, NBS, Gaithersburg, Maryland, pages 240-263, September 24-26, 1984. Reprinted in Rein Turn (ed.), Advances in Computer System Security, Vol. 3, Artech House, Dedham, Massachusetts, 1988.

[28] F.J. Corbató. On building systems that will fail (1990 Turing Award Lecture, with a following interview by Karen Frenkel). Communications of the ACM, 34(9):72-90, September 1991.

[29] F. Cristian. Probabilistic clock synchronization. Technical Report RJ 6432, IBM Almaden Research Center, San Jose, California, September 1988.

[30] F. Cristian. Understanding fault-tolerant distributed systems. Communications of the ACM, 34(2):56-78, February 1991.

[31] D.E. Denning. Responsibility and blame in computer security. In Proceedings of the National Conference on Computing and Values, Southern Connecticut State University, New Haven, Connecticut, August 12-16, 1991.

[32] D.E. Denning. The Clipper encryption system. American Scientist, 81(4):319-323, July-August 1993.

[33] P.J. Denning. Human error and the search for blame. Communications of the ACM, 33(1):6-7, January 1990.

[34] P.J. Denning. Designing new principles to sustain research in our universities. Communications of the ACM, 36(7):98-104, July 1993.

[35] P.J. Denning (ed.). Computers Under Attack: Intruders, Worms, and Viruses. ACM Press, New York, and Addison Wesley, Reading, Massachusetts), 1990. ACM order number 706900.

[36] J. DeTreville. A cautionary tale. ACM Software Engineering Notes, 16(2): 19-22, April 1991.

[37] E.W. Dijkstra. The structure of the THE multiprogramming system. Communications of the ACM, 11(5): 341-346, May 1968.

[38] J.E. Dobson and B. Randell. Building reliable secure computing systems out of unreliable unsecure components. In Proceedings of the 1986 Symposium on Security and Privacy, pages 187-193, Oakland, California, April 1986. IEEE Computer Society.

[39] R. Dugger. Annals of democracy (voting by computer). New Yorker, November 7, 1988.

[40] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology: Proceedings of CRYPTO 84 (G.R. Blakley and David Chaum, editors), pages 10-18, Springer-Verlag, New York, 1985.

[41] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31:469-472, 1985.

[42] European Communities Commission. Information Technology Security Evaluation Criteria (ITSEC), Provisional Harmonised Criteria (of France, Germany, the Netherlands, and the United Kingdom), June 1991. Version 1.2. Available from the Office for Official Publications of the European Communities, L-2985 Luxembourg, item CD-71-91-502-ENC. Also available from UK CLEF, CESG Room 2/0805, Fiddlers Green Lane, Cheltenham UK GLOS GL52 5AJ, or GSA/GISA, Am Nippenkreuz 19, D 5300 Bonn 2, Germany.

[43] R.J. Feiertag and P.G. Neumann. The foundations of a provably secure operating system (PSOS). In Proceedings of the National Computer Conference, pages 329-334. AFIPS Press, 1979.

[44] D. Ferbrache. A Pathology of Computer Viruses. Springer-Verlag, Berlin, 1992.

[45] R. Formaini. The Myth of Scientific Public Policy. Transaction Publishers (Social Philosophy & Policy Center), New Brunswick, New Jersey, 1990.

[46] J. Gall. Systemantics: How Systems Work and Especially How They Fail. Quadrangle/New York Times Book Co., New York, 1977. Also, Pocket Books, New York, 1975.

[47] J. Garman. The bug heard ’round the world. ACM SIGSOFT Software Engineering Notes, 6(5):3-10, October 1981.

[48] M. Gasser. Building a Secure Computer System. Van Nostrand Reinhold Company, New York, 1988.

[49] M. Gasser, A. Goldstein, C. Kaufman, and B. Lampson. The Digital distributed system security architecture. In Proceedings of the Twelfth National Computer Security Conference, pages 305-319, Baltimore, Maryland, October 10-13, 1989. NIST/NCSC.

[50] A. Goldberg. Reliability of computer systems and risks to the public. Communications of the ACM, 28(2): 131-133, February 1985.

[51] R.A. Golde. Muddling Through: The Art of Properly Unbusinesslike Management. AMACOM (a division of the American Management Associations), New York, 1976.

[52] L. Gong, T.M.A. Lomas, R.M. Needham, and J.H. Saltzer. Protecting poorly chosen secrets from guessing attacks. IEEE Journal of Selected Areas in Communications, 11(5):648-656, June 1993.

[53] J. Gray. Why do computers stop, and what can be done about it? Technical report, TR85.7, Tandem Computers, Inc., Cupertino, California, 1985.

[54] J. Gray. Transparency in its place. Technical report, TR89.1, Tandem Computers, Cupertino, California, 1989.

[55] G.L. Greenhalgh. Security and auditability of electronic vote tabulation systems: One vendor’s perspective. In Proceedings of the Sixteenth National Computer Security Conference, pages 483-489, Baltimore, Maryland, September 20-23, 1993. NIST/NCSC.

[56] R.W. Hamming. Error detecting and error correcting codes. Bell System Technical Journal, 29:147-60, 1950.

[57] L.J. Hoffman (ed.). Rogue Programs: Viruses, Worms, and Trojan Horses. Van Nostrand Reinhold, New York, 1990.

[58] M. Jaffe, as reported by P.G. Neumann. Aegis, Vincennes, and the Iranian Airbus. ACM SIGSOFT Software Engineering Notes, 14(5):20-21, July 1989.

[59] D. Johnson. Computer Ethics (2nd ed.). Prentice Hall, Englewood Cliffs, New Jersey, 1994.

[60] C. Jones. Assessment and Control of Software Risks. Yourdon Press, 1994.

[61] M.F. Kaashoek and A.S. Tanenbaum. Fault tolerance using group communication. ACM SIGOPS Operating System Review, 25(2): 71-74, April 1991.

[62] P. Kane. V.I.R.U.S., Protection of Vital Information Resources Under Siege. Bantam Software Library, New York, 1989.

[63] P.A. Karger. Implementing commercial data integrity with secure capabilities. In Proceedings of the 1988 Symposium on Security and Privacy, pages 130-139, Oakland, California, April 1988. IEEE Computer Society.

[64] P.A. Karger. Improving Security and Performance for Capability Systems. PhD thesis, Computer Laboratory, University of Cambridge, Cambridge, England, October 1988. Technical Report No. 149.

[65] T.F. Keefe, W.T. Tsai, and M.B. Thuraisingham. A multilevel security model for object-oriented systems. In Proceedings of the Eleventh National Computer Security Conference, October 1988.

[66] S.T. Kent. Internet privacy enhanced mail. Communications of the ACM, 36(8):48-60, August 1993.

[67] R. Kling (ed.). Computerization and Controversy: Value Conflicts and Social Choices. Academic Press, New York, 1995.

[68] J.C. Knight and N.G. Leveson. An experimental evaluation of the assumption of independence in multi-version programming. IEEE Transactions on Software Engineering, SE-12(1):96-109, January 1986.

[69] L. Lamport. The implementation of reliable distributed multiprocess systems. Computer Networks, 2:95-114, 1978.

[70] L. Lamport and P.M. Melliar-Smith. Synchronizing clocks in the presence of faults. Journal of the ACM, 32(1):52-78, January 1985.

[71] B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems, 10(4):265-310, November 1992.

[72] B.W. Lampson. Redundancy and robustness in memory protection. In Information Processing 74 (Proceedings of the IFIP Congress 1974), Hardware II: pages 128-132. North-Holland, Amsterdam, 1974.

[73] S. Landau, S. Kent, C. Brooks, S. Charney, D. Denning, W. Diffie, A. Lauck, D. Miller, P. Neumann, and D. Sobel. Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy. ACM report, June 1994.

[74] S. Landau, S. Kent, C. Brooks, S. Charney, D. Denning, W. Diffie, A. Lauck, D. Miller, P. Neumann, and D. Sobel. Crypto policy perspectives. Communications of the ACM, 37(8): 115-121, August 1994.

[75] C.E. Landwehr, A.R. Bull, J.P. McDermott, and W.S. Choi. A taxonomy of computer program security flaws, with examples. Technical report, Center for Secure Information Technology, Information Technology Division, Naval Research Laboratory, Washington, D.C., November 1993.

[76] J.C. Laprie. Dependable computing and fault tolerance: Concepts and terminology. In Digest of Papers, FTCS 15, pages 2-11, Ann Arbor, Michigan, June 1985. IEEE Computer Society.

[77] M. Lee, E. Lee, and J. Johnstone. Ride the Tiger to the Mountain. Addison-Wesley, Reading, Massachusetts, 1989.

[78] T.M.P. Lee. Using mandatory integrity. In Proceedings of the 1988 Symposium on Security and Privacy, pages 140-146, Oakland, California, April 1988. IEEE Computer Society.

[79] N.G. Leveson. Software safety: Why, what, and how. ACM Computing Surveys, 18(2): 125-163, June 1986.

[80] N.G. Leveson. Software safety in embedded computer systems. Communications of the ACM, 34(2), February 1991.

[81] N.G. Leveson. Safeware: System Safety and the Computer Age. Addison-Wesley, Reading, Massachusetts, 1995.

[82] N.G. Leveson, S.S. Cha, and T.J. Shimeall. Safety verification of Ada programs using software fault trees. IEEE Software, 8(7), July 1991.

[83] N.G. Leveson and C. Turner. An investigation of the Therac-25 accidents. IEEE Computer, pages 18-41, July 1993.

[84] T.F. Lunt. Aggregation and inference: Facts and fallacies. In Proceedings of the 1989 IEEE Symposium on Research in Security and Privacy, May 1989.

[85] T.F. Lunt. Multilevel security for object-oriented database systems. In Proceedings of the Third IFIP Database Security Workshop, September 1989.

[86] T.F. Lunt, R.R. Schell, W.R. Shockley, M. Heckman, and D. Warren. A near-term design for the SeaView multilevel database system. In Proceedings of the 1988 Symposium on Security and Privacy, pages 234-244, Oakland, California, April 1988. IEEE Computer Society.

[87] J. Mander. Four Arguments for the Elimination of Television. William Morrow/Quill, New York, 1978.

[88] J. Mander. In the Absence of the Sacred: The Failure of Technology & the Survival of the Indian Nations. Sierra Club Books, San Francisco, California, 1991, paperback 1992.

[89] M.D. Mcllroy. Green light for bad software. Communications of the ACM, 33(5):479, May 1990.

[90] G.H. Mealy. A method for synthesizing sequential circuits. Bell System Technical Journal, 34:1045-79, September 1955.

[91] P.M. Melliar-Smith and R.L. Schwartz. Formal specification and verification of SIFT: A fault-tolerant flight control system. IEEE Transactions on Computers, C-31(7):616-630, July 1982.

[92] R. Mercuri. Threats to suffrage security. In Proceedings of the Sixteenth National Computer Security Conference, pages 474-477, Baltimore, Maryland, September 20-23, 1993. NIST/NCSC.

[93] H.D. Mills. Principles of Information Systems Analysis and Design. Academic Press, New York, 1986.

[94] E.F. Moore and C.E. Shannon. Reliable circuits using less reliable relays. Journal of the Franklin Institute, 262:191-208, 281-297, September, October 1956.

[95] M. Moriconi and T.C. Winkler. Approximate reasoning about the semantic effects of program changes. IEEE Transactions on Software Engineering, 16(9):990-1004, September 1990.

[96] R. Morris and K. Thompson. Password security: A case history. Communications of the ACM, 22(11):594-597, November 1979.

[97] S.J. Mullender (ed.). Distributed Systems. ACM Press, New York, and Addison-Wesley, Reading, Massachusetts, 1989.

[98] Peer Review of a Formal Verification/Design Proof Methodology. NASA Conference Publication 2377, July 1983.

[99] R. Nader and W. J. Smith. Collision Course: The Truth about Airline Safety. TAB Books, McGraw-Hill, Blue Ridge Summit, Pennsylvania, 1994.

[100] NCSC. Trusted Network Interpretation (TNI). National Computer Security Center, August 1, 1990. NCSC-TG-011 Version-1, Red Book.

[101] NCSC. Department of Defense Trusted Computer System Evaluation Criteria (TCSEC). National Computer Security Center, December 1985. DOD-5200.28-STD, Orange Book.

[102] NCSC. Guidance for Applying the Trusted Computer System Evaluation Criteria in Specific Environments. National Computer Security Center, June 1985. CSC-STD-003-85.

[103] P.G. Neumann. Beauty and the beast of software complexity - elegance versus elephants. In Beauty Is Our Business, A Birthday Salute to Edsger W. Dijkstra (W.H.J. Feijen, A.J.M. van Gasteren, D. Gries, and J. Misra, editors), pages 346-351 (Chapter 39). Springer-Verlag, Berlin, New York, May 11, 1990.

[104] P.G. Neumann. The role of motherhood in the pop art of system programming. In Proceedings of the ACM Second Symposium on Operating Systems Principles, Princeton, New Jersey, pages 13-18. ACM, October 1969.

[105] P.G. Neumann. Computer security evaluation. In AFIPS Conference Proceedings, NCC, pages 1087-1095. AFIPS Press, January 1978. Reprinted in Rein Turn (ed.), Advances in Computer Security, Artech House, Dedham, Massachusetts, 1981.

[106] P.G. Neumann. Psychosocial implications of computer software development and use: Zen and the art of computing. In Theory and Practice of Software Technology, pages 221-232. North-Holland, 1983. D. Ferrari, M. Bolognani, and J. Goguen (eds.).

[107] P.G. Neumann. On hierarchical design of computer systems for critical applications. IEEE Transactions on Software Engineering, SE-12(9), September 1986. Reprinted in Rein Turn (ed.), Advances in Computer System Security, Vol. 3, Artech House, Dedham, Massachusetts, 1988.

[108] P.G. Neumann. The computer-related risk of the year: Misplaced trust in computer systems. In Proceedings of the Fourth Annual Conference on Computer Assurance, COMPASS ’89, pages 9-13. IEEE, June 1989.

[109] P.G. Neumann. The computer-related risk of the year: Distributed control. In Proceedings of the Fifth Annual Conference on Computer Assurance, COMPASS ’90, pages 173-177. IEEE, June 1990.

[110] P.G. Neumann. A perspective from the Risks Forum. In Computers Under Attack: Intruders, Worms, and Viruses, Article 39, pages 535-543, ACM Press, New York, 1990.

[111] P.G. Neumann. Managing complexity in critical systems. In Managing Complexity and Modeling Reality: Strategic Issues and an Action Agenda, pages 2-36-2-42, ACM, New York, 1991. In a report edited by D. Frailey, based on an ACM Conference on Critical Issues, Arlington, Virginia, November 6-7, 1990. This paper includes a discussion of papers by David Parnas, Edward S. Cheevers and R. Leddy in the conference track on Managing Complexity.

[112] P.G. Neumann. Security criteria for electronic voting. In Proceedings of the Sixteenth National Computer Security Conference, pages 478-482, Baltimore, Maryland, September 20-23, 1993.

[113] P.G. Neumann. Illustrative risks to the public in the use of computer systems and related technology, index to RISKS cases as of October 7, 1993. ACM Software Engineering Notes, 19(1): 16-29, January 1994. (At-least quarterly cumulative updates to this index are available on request.).

[114] P.G. Neumann, R.S. Boyer, R.J. Feiertag, K.N. Levitt, and L. Robinson. A provably secure operating system: The system, its applications, and proofs. (2nd ed.) Technical report, SRI International Computer Science Lab, Menlo Park, California, May 1980. Report CSL-116.

[115] P.G. Neumann and D.B. Parker. A summary of computer misuse techniques. In Proceedings of the Twelfth National Computer Security Conference, pages 396-407, Baltimore, Maryland, October 10-13, 1989. NIST/NCSC.

[116] D.A. Norman. The Psychology of Everyday Things. Basic Books, New York, 1988.

[117] D.A. Norman. Human error and the design of computer systems. Communications of the ACM, 33(1):4-5, 7, January 1990.

[118] S. Papert. The Children’s Machine: Rethinking School in the Age of the Computer. Basic Books, New York, 1993.

[119] D.B. Parker. Crime by Computer. Scribner, New York, 1976.

[120] D.B. Parker. Fighting Computer Crime. Scribner, New York, 1983.

[121] D.B. Parker. Ethical Conflicts in Information and Computer Science, Technology, and Business. QED Information Sciences, Wellesley, Massachusetts, 1990.

[122] D.L. Parnas. On the criteria to be used in decomposing systems into modules. Communications of the ACM, 15(12), December 1972.

[123] D.L. Parnas. A technique for software module specification with examples. Communications of the ACM, 15(5), May 1972.

[124] D.L. Parnas. On a “buzzword”: Hierarchical structure. In Information Processing 74 (Proceedings of the IFIP Congress 1974), Software, pages 336-339. North-Holland, Amsterdam, 1974.

[125] M. Pease, R. Shostak, and L. Lamport. Reaching agreement in the presence of faults. Journal of the ACM, 27(2):228-234, April 1980.

[126] C. Perrow. Normal Accidents. Basic Books, New York, 1984.

[127] I. Peterson. Fatal Defect: Chasing Killer Computer Bugs. Random House, New York, 1995.

[128] W.W. Peterson and E.J. Weldon, Jr. Error-Correcting Codes (2nd ed.). MIT Press, Cambridge, Massachusetts, 1972.

[129] H. Petroski. To Engineer is Human: The Role of Failure in Successful Design. St. Martin’s Press, New York, 1985.

[130] H. Petroski. Design Paradigms: Case Histories of Error and Judgment in Engineering. Cambridge University Press, Cambridge, England, 1994.

[131] C.P. Pfleeger. Security in Computing. Prentice Hall, Englewood Cliffs, New Jersey, 1989.

[132] R.M. Pirsig. Zen and the Art of Motorcycle Maintenance. William Morrow, Bantam Books, New York, 1974.

[133] R.M. Pirsig. Lila, An Inquiry into Morals. Bantam Books, New York, 1991.

[134] B. Randell. System design and structuring. Computer Journal, 29(4):300-306, 1986.

[135] T.R.N. Rao. Error-Control Coding for Computer Systems. Prentice Hall, Englewood Cliffs, New Jersey, 1989.

[136] R. Rivest. The MD4 message digest algorithm. Technical report, MIT Laboratory for Computer Science, October 1990. TM 434.

[137] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2): 120-126, February 1978.

[138] J.A. Rochlis and M.W. Eichin. With microscope and tweezers: The Worm from MIT’s perspective. Communications of the ACM, 32(6):689-698, June 1989.

[139] E. Rosen. Vulnerabilities of network control protocols. ACM SIGSOFT Software Engineering Notes, 6(1):6-8, January 1981.

[140] M. Rotenberg. Communications privacy: Implications for network design. Communications of the ACM, 36(8):61-68, August 1993.

[141] M. Rotenberg. The underpinnings of privacy protection. Communications of the ACM, 36(8):69-73, August 1993.

[142] J.M. Rushby and F. von Henke. Formal verification of algorithms for critical systems. ACM Software Engineering Notes, 16(5):1-15, December 1991.

[143] R.G. Saltman. Accuracy, integrity, and security in computerized vote-tallying. Technical report, National Bureau of Standards (now NIST) special publication, Gaithersburg, Maryland, 1988.

[144] R.G. Saltman. Assuring accuracy, integrity and security in national elections: The role of the U.S. Congress. In Computers, Freedom and Privacy ’93, pages 3.8-3.17, March 1993.

[145] R.G. Saltman. An integrity model is needed for computerized voting and similar systems. In Proceedings of the Sixteenth National Computer Security Conference, pages 471-473, Baltimore, Maryland, September 20-23, 1993.

[146] P.H. Salus. A Quarter Century of UNIX. Addison-Wesley, Reading, Massachusetts, 1994.

[147] S.R. Schach. Software Engineering (2nd ed.). Aksen Associates, Homewood, Illinois, 1993.

[148] C.P. Schnorr. Efficient identification and signatures for smart cards. In Advances in Cryptology: Proceedings of CRYPTO 89 (G. Brassard, editor), pages 239-251, Springer-Verlag, New York, 1990.

[149] M.D. Schroeder, A.D. Birrell, and R.M. Needham. Experience with Grapevine: The growth of a distributed system. TOCS, 2(1):3-23, February 1984.

[150] D. Seeley. Password cracking: A game of wits. Communications of the ACM, 32(6):700-703, June 1989.

[151] SEI/NSIA Conference on Risks in the Acquisition and Development of Large-Scale Software Intensive (LSSI) Systems, Pittsburgh, Pennsylvania, October 8-10, 1991. SEI/NSIA.

[152] M. Shamos. Electronic voting: Evaluating the threat. In Computers, Freedom and Privacy ’93, pages 3.18-3.25, March 1993.

[153] R.J. Shea and R.A. Wilson. The Illuminatus! Trilogy. Dell, New York, 1975.

[154] T.J. Shimeall and N.G. Leveson. An empirical comparison of software fault tolerance and fault elimination. IEEE Transactions on Software Engineering, SE-17(2): 173-183, February 1991.

[155] J.F. Shoch and J.A. Hupp. The “Worm” programs—early experience with a distributed computation. Communications of the ACM, 25(3): 172-180, March 1982. Reprinted in Denning (ed.), Computers Under Attack.

[156] W.R. Shockley. Implementing the Clark/Wilson integrity policy using current technology. Technical report, Gemini Computers, P.O. Box 222417, Carmel California, 1988. GCI-88-6-01.

[157] S.K. Shrivastava and F. Panzieri. The design of a reliable remote procedure call mechanism. IEEE Transactions on Computers, C - 31(7):692-687, July 1982.

[158] E. Spafford. Are computer hacker break-ins ethical? Journal of Systems and Software, January 1992. Purdue Technical Report CSD-TR-994, March 91.

[159] E.H. Spafford. The Internet Worm: Crisis and aftermath. Communications of the ACM, 32(6):678-687, June 1989.

[160] P. Stephenson and K. Birman. Fast causal multicast. ACM SIGOPS Operating System Review, 25(2):75-79, April 1991.

[161] B. Sterling. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. Bantam, New York, 1992 (paperback 1993).

[162] C. Stoll. Stalking the Wily Hacker. Communications of the ACM, 31(5):484-497, May 1988.

[163] C. Stoll. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, New York, 1989.

[164] A. Swasy. Soap Opera: The Inside Story of Proctor & Gamble. Times Books, New York, 1993.

[165] S. Talbott. The Future Does Not Compute. O’Reilly & Associates, Sebastopol, CA 95472, 1994.

[166] A.S. Tanenbaum. Modern Operating Systems. Prentice Hall, Englewood Cliffs, New Jersey, 1992.

[167] K. Thompson. Reflections on trusting trust (1983 Turing Award Lecture). Communications of the ACM, 27(8):761-763, August 1984.

[168] I.L. Traiger, J. Gray, C.A. Galtieri, and B.G. Lindsay. Transactions and consistency in distributed database systems. ACM TODS, 7(3):323-342, September 1982.

[169] UK-Ministry of Defence. Interim Defence Standard 00-55, The Procurement of Safety-Critical Software in Defence Equipment. U.K. Ministry of Defence, April 5, 1991. DefStan 00-55; Part 1, Issue 1: Requirements; Part 2, Issue 1: Guidance.

[170] UK-Ministry of Defence. Interim Defence Standard 00-56, Hazard Analysis and Safety Classification of the Computer and Programmable Electronic System Elements of Defence Equipment. U.K. Ministry of Defence, April 5, 1991. DefStan 00-56.

[171] S.H. Unger. Controlling Technology : Ethics and the Responsible Engineer (2nd ed.). John Wiley and Sons, New York, 1994.

[172] V. Varadharajan and S. Black. Multilevel security in a distributed object-oriented system. Computers and Security, 10(1):51-68, 1991.

[173] J. von Neumann. Probabilistic logics and the synthesis of reliable organisms from unreliable components. In Automata Studies, pages 43-98, Princeton Univeristy, Princeton, New Jersey, 1956.

[174] F.W. Weingarten. Public interest and the NII. Communications of the ACM, 37(3): 17-19, March 1994.

[175] J.H. Wensley et al. SIFT design and analysis of a fault-tolerant computer for aircraft control. Proceedings of the IEEE, 66(10): 1240-1255, October 1978.

[176] J.H. Wensley et al. Design study of software-implemented fault-tolerance (SIFT) computer. NASA contractor report 3011, Computer Science Laboratory, SRI International, Menlo Park, California, June 1982.

[177] L. Wiener. Digital Woes: Why We Should Not Depend on Software. Addison-Wesley, Reading, Massachusetts, 1993.

[178] E. Wobber, M. Abadi, M. Burrows, and B. Lampson. Authentication in the Taos operating system. ACM Operating Systems Review, 27(5):256-269, December 1993. Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles.

[179] W.D. Young and J. McHugh. Coding for a believable specification to implementation mapping. In Proceedings of the 1987 Symposium on Security and Privacy, pages 140-148, Oakland, California, April 1987. IEEE Computer Society.