Index
Boldfaced page numbers indicate a primary description. Italic page numbers indicate a glossary item.
Abstract data types, 240
in Clark-Wilson, 242
Abstract objects, 242
concept of, 240
data, 240
procedure, 240
role of assumptions, 241
Access controls, 98
changes in parameters, 111
discretionary, 99
copy propagation problem, 99
group-based, 99
mandatory, 99
Access-control lists, 99
Accidental misuse, 126
ACM
code of professional conduct, 181
Ada, 236
rendezvous, 236
Adams, Douglas, 292
Administration, 213
Adversities, 7
Aegis
Airbus shot down, 35, 207, 268
display insufficiency, 266
Aeromexico crash, 45
Aggregation of data, 112
AIDS Trojan horse, 141
Air France Airbus A320, 45
Air Inter, 46
Air-cargo shutdown
giraffes die, 157
Air-conditioning outage, 164
Air-traffic control
collision avoidance, 48
impersonations, 49
problems, 48
Airbus
A320
accidents, 45
flight control, 43
color coding, 43
Aeromexico, 45
Airbus A320
Air France, 45
Air Inter, 46
Indian Airlines, 45
Lufthansa, 46
collision
with birds, 47
with private planes, 45
Ilyushin, 46
KAL 007, 47
Lauda Air, 44
lightning, 48
Northwest, 44
Akkerhuis, Jaap, 90
Alarm system example, 95, 131, 180
ALCOA
electrician killed by guided vehicle, 66
Aliasing
avoidance of, 240
in operating systems, 107
in programming languages, 236
vulnerabilities, 107
Allstate Insurance, 216
AMD 29000 flaws, 93
Anderson, Jack
on Chernobyl, 78
Anik E-1, E-2, 30
Anwar, Yasmin, 327
Apollo 11, 26
Arens, Yigal, 193
Ariane, 28
1980 collapse, 13, 123, 127, 156, 267, 289
nodes vulnerable, 129
Asimov, Isaac
“It’s Such a Beautiful Day,” 312
Laws of Robotics, 64
psychohistory, 257
AT&T
1990 blockage, 14, 123, 127, 156, 213
power problem, 213
Atlas failures, 28
Atlas-Centaur, 159
ATM, see Automated teller machines
Atomicity, 241
Attacks
bypass, 105
password, 108
pest programs, 103-105
trapdoor, 105
Auditing, 213
compromisible, 107
Authentication, 211
biometric, 255
compromise, 211
criteria for, 254
mutual, 212
servers, 212
techniques for, 253-255
Authorization, 99
breakdowns, 156
fraud, 165
outage due to snow, 164
Automobile
microprocessor interference, 162
traffic control breakdown, 156
Availability, 97
of distributed data, 212
Aviation problems, 40-50. See also Aircraft accidents
autopilots on 757/767, 44
summary, 50
B-1 bomber, 217
Backup, 213
absence
downs NY Public Library, 158
downs Theatre Royal, 157
battery drained, 16
British Rail crash, 54
deleted data still present, 145
prematurely decommissioned, 175
shuttle
design, 21
STS-1 uninitializable, 20
STS-20 delay, 22
STS-36 delay, 24
Bandar, Mary, 87
Bank of America MasterNet, 216
Bank of New York overdraft, 267, 287
Barometric effects, 163
Barrett, Jean Paul, 175
BART (Bay Area Rapid Transit)
1980 outages, 54
power outage, 55
Bartelt, Mark, 322
Beck, Ulrich, 315
Beckman, Joseph M., 328
Beertema, Piet, 146
Benson, David B., 318
Berkowitz, Howard, 162
Berra, Yogi, 239
Bidzos, James, 331
Billing errors, 190
Los Angeles property tax, 217
Black Hawk
interference, 158
analysis, 256
distributed, 206
Blaze, Matt, 188
Blinn, Tom, 78
Blodgett, G.C., 87
BloomBecker, Buck, 323
BMEWS defense system, 38
Board, John, 173
Boebert, Earl, 318
Boeing
color coding, 43
KC-135, 47
Boone, Donny Ray, 195
Bootload
flaws introduced, 106
security risks, 239
virus corruption, 105
Borenstein, Nathaniel S., 315
Bork, Robert, 186
Bosworth, Ken, 157
Boulders fall, 63
Bowsher, Charles A., 217
Branscomb, Lewis, 219
Breisacher, Lee, 87
Brinkley, David, 191
Brinks scammed, 167
British Midland crash, 44, 267
Broadcast protocols for fault tolerance, 328
Brodeur, Paul, 321
Brooks, Frederick P., 331
Brown, Forman, 190
Brunnstein, Klaus
virus catalog, 324
Buchsbaum, Sol, 214
Bullock, Conrad, 91
Burleson, Donald Gene, 139
Burnham, David, 326
Business Men’s Assurance, 217
Bynum, Terry, 330
Bypass attacks, 105-111
Byzantine
algorithms, 213, 228, 271, 329
clocks, 87
C (programming language), 236
compiler Trojan horse, 115
C++, 236
object-oriented, 237
C-17 cost overrun, 218
Caching, invisibility of, 240
Cadsoft, antipiracy spoof, 153
Caen, Herb, 291
Cain, Ron, 66
Calling-Number Identification, 182
Capstone, 188
Captain Midnight, 153
Carson, Johnny
media interference, 162
CASE (computer-aided software engineering), 238
Casey, Steven M., 316
Cassandra attitude, 296
Celine, Hagbard, 194
Cellular telephone
eavesdropping, 185
fraud, 136
Certification of professionals, 281-283
challenge, 284
Ceruzzi, Paul, 317
Challenges
concluding, 310
human issues, 283
preliminary, 11
privacy, 202
reliability, 95
security, 179
systems, 259
vulnerabilities, 118
weak links, 131
Chapman, Gary, 328
Charette, Robert N.
risk analysis, 255
Chemical industry
in Britain, 61
explosion in the Netherlands, 61
Chernenko spoof, 146
Chernousenko, Vladimir, 77
Chinese launchpad explosion, 31
Chorus Line, A, blacked out, 161
Chow, Stanley, 327
Churchill, Mae, 325
Clark-Wilson integrity model, 226, 240, 242
implementation, 242
Clarke, Arthur C., 306
Cleopatra’s Nose, 331
Client-server model, 240
Clipper Chip, 187
Clock problems, 85-93
arithmetic errors, 89
Byzantine, 87
century ambiguities, 87
leap-year ambiguities, 90
millenium ambiguities, 92
overflows, 88
summary, 91
summer time, 89
and ingot cooling, 89
police system fails, 89
year-end, 89
CNID, see Calling-Number Identification
Coding
error-correcting, 229, 328, 329
error-detecting, 328
Cohen, Fred, 104
Cohen, Norman, 207
Coke-machine telephone calls, 157
Collaboration, 278-281
Collins-Thompson, Kevyn, 188
Collor de Mello, Fernando, 145
Colville, John, 326
Communications problems, 13-19
summary, 18
Community Alert Network
Trojan horsed, 138
Complexity, 221-227
Components
equal trustworthiness, 210
relative trustworthiness, 210
of auditing, 107
of authentication, 211
of consistency, 213
with a multiuse password, 110
through programming languages, 236
by Trojan horse, 115
COMPUSEC, 345
Computational problems, 93
Computers at Risk, 316
COMSEC, 345
Concept formation, 233
Concurrency control
management, 212
virtualized, 241
Condyles, Nick, 327
Confidentiality, 96
in auditing, 213
in communications, 212
loss of, 211
Configuration flaws introduced, 106
Conn, Dickie Ann, 191
Consistency
between code and spec, 237
between specs and requirements, 236
in Clark-Wilson, 242
in distributed databases, 212
problems in recovery, 213
through formal analysis, 238
Continental Cablevision
antipiracy spoof, 153
Control system
problem summary, 64
safety, 60-67
Conway’s Law, 204
Conway, Joanne, 192
Corbató, Fernando Jose
CTSS bug, 144
system development, 239
Covert channels
aggressive exploitation, 111
in distributed systems, 212
threats, 129
Cox, Henry, 325
Craigen, Dan, 322
Crepin-Leblond, Olivier M.J., 319
Criteria, 345
for safety, 233
for system evaluations, 233
Critical failures, 12
Critical requirements, 3
Criticality, 345
Crompton, C.S.,II, 195
Cryptosystem
private-key, 347
public-key, 348
secret-key, 348
shared-key, 349
CTCPEC, 345
CTSS (Compatible Time-Sharing System)
recursion, 155
security accident, 144
DAC, see Discretionary access controls
Danforth, Sen. John, 186
Database misuse
background checks, 184
government data, 185
murder, 184
police data, 185
Date problems, 85-93
summary, 91
Datri, Anthony, 71
DC-8
engine failures, 47
simultaneous engine failure, 124
DC-10 crash, 121
Death
erroneously reported, 190
masked by automatic payments, 190
Decommission, 6
Defense problems, 34-39
summary, 39
Defibrillator deactivation, 71
Delta-178 (rocket), 28
Dement, Martin Lee, 194
Denial of service
ATMs shut down by roof collapse, 164
bogus cable chips, 155
CTSS recursion, 155
Encyclopaedia Brittanica, 154
insurance company held hostage, 154
intentional, 153-155
lithographer data, 154
newspaper sabotage, 154
Prescott Valley, AZ, 154
unintentional, 155-165
Washington DC analyst, 154
Denning, Dorothy E., 330
Clipper Chip, 187-188
Denning, Peter J., 208, 323, 330
intelligent life, 152
new common sense, 305
feasibility, 296-299
Dependence, 345
hidden, 210
identification of, 242
on less-accessible components, 212
on less-trustworthy components, 210
Depends on, 345
Derbyshire, Drew, UUPC, 90
DES, see Digital Encryption Standard
Desert Storm, 47
Design
failures due to, 262
not reflecting implementation flaws, 117
principles, 240
impact, 243
DeTreville, John, 124
Development problems, 216-218
Devine, Robert, 319
Diana, Princess, 186
Digital Encryption Standard, 254, 345
Digital signature, 345
Digital Signature Standard, 280, 346
Discovery security error, 144
Discretionary access controls, 99. See also Access controls
Display board spoof, 150
Disraeli, Benjamin, 286
Distributed data problems, 210, 212, 213
Distributed system risks, 209-215
Dolan, Brad, 320
Door closing kills woman, 62
DOS, 346
Downs, Diane, 175
Drawbridge
closes, barriers don’t open, 63
opens, short circuit, 63
DSS, see Digital Signature Standard
Dugger, Ronnie, 173
Dumpster diving, 113
Earnest, Les, 320
Edison, Thomas Alva, 183
Editor risks, 192
Edwards, David L., 322
Eggert, Paul, 90
Eiffel (programming language), 237
Einstein, Albert, 221
Elections
constraints, 243-253
risks, 171-174
Electra, 220
Electrical power problems, 74-85
Electrocution by heart monitor, 70
Elevator accidents
in Ottawa, 62
Emanations, 113
Emergency dispatch problems, 72
Emerson, Ralph Waldo, 304
in Clark-Wilson, 242
flaws in, 107
Encryption
public-key, 348
for authentication, 111
for key distribution, 212
shared-key, 349
distribution, 212
Epson America, 187
Equifax
data misused, 187
Lotus Marketplace, 182
Errors, 12
Escape completion, 179
Escrowed Encryption Standard, 280
Esparza, Fernando M., 324
Estelle, 236
Estrin, Debbie, 190
Ethernet promiscuous mode, 211
Euclid, Real-Time, 236
Evaluation during development, 237
security implications, 239
F-16
deadlock detected, 39
flip-over detected, 38
flip-over, 219
stall, 267
F-18
missile clamped, 38
F-111
over Libya, 37
Failures, 12
critical, 12
The Falcon and the Snowman, 153
Falklands War
helicopter lost, 37
Fault tolerance, 212, 228. See also Table 7.2, 231
hierarchical, 231
techniques, 227-231
virtualized, 241
Faults, 12
Features, 346
Ferlinghetti, Lawrence, 181
Finalization in programming, 236
Financial losses
accidental, 169-171
ATM overgenerosity, 170
Bank of New York, 169
Federal Reserve
duplicates transactions, 170
transfer off by factor of 1000, 170
German bank duplicates transfers, 170
intentional, 165-169
late lottery tickets, 170
racetrack malfunction, 170
Sri Lankan rupees, 169
UK bank duplicates transfers, 170
Fire
Dreyers Ice Cream, 164
Hinsdale, IL, 164
Flaws
authentication, 107
bypass, 105
encapsulation, 107
finalization, 106
initialization, 106
logic, 108
naming, 107
in password mechanisms, 108
sequencing, 107
termination, 106
trapdoor, 105
validation, 107
Floating-point accuracy, 93
Flood
Colorado River, 220
Hinsdale, IL, 164
flushot, 141
Fokker F.100, 43
Ford, Daniel F.
The Button, 38
Three Mile Island, 321
Ford, Gerald
media interference, 161
Formal methods, 225
in consistency proofs, 237
Formality, 346
FORTRAN
DO loop in Mercury, 27
in German, 93
Fostel, Gary, 282
Foster, Neil (both), 195
Fox, Joseph M., 318
Franklin, William Randolph, 322
Fraud
ATM, 165
attempted
ATM card counterfeiting, 168
Belgian BNP, 166
Dutch bank, 168
First Interstate of California, 167
First National of Chicago, 166
Harrah’s, 167
Pennsylvania lottery, 167
Prague, 166
Union Bank of Switzerland, 167
financial, 165-169
password misused, 166
Pinkerton’s, 167
Volkswagen, 165
voting, 172
Freud, Sigmund, 327
Friendly fire
Black Hawks shot down, 35
Galileo, 30
Gall, John, 316
Gaps
role in privacy, 189
sociotechnical, 99
Garman, Jack
first shuttle, 20
Gasser, Morrie
distributed systems, 325
secure systems, 325
Gateways, 346
accessibility, 214
Gegg, Nicholas, 320
Ghosts
planes, 48
trains, 55
Giraffe deaths, 157
Golde, Roger A., 278
Goun, Roger H., 90
Gp 1 virus, 141
Graf, Steffi, 132
Graham, Malcolm, 191
Greenberg, Ira, 320
Greenfield, Gerald Harvey, 165
Greenhalgh, Gary L., 325
Grind, shutdown, 157
Gripen, 36
Groups of users, 99
Groves, Mark, 318
Guards, 346
Gumbel, Bryant, 186
Hamming distance, 229
Handley-Page Victor
tailplane flutter analysis, 122, 220
Handwriting recognition, 207
Hardie, Doug, 173
Harrah’s Tahoe scam, 167
Hartford Civic Center roof collapse, 221
Harvard Mark I wiring, 93, 125
Health problems, 68-73
summary, 73
Heisenberg phenomenon, 263, 290
Hellman, Martin, 331
Herbison, B.J., 321
Hess, Markus, 134
Hibbert, Chris, 327
Hierarchical structure
layering of abstractions, 203, 240
Hoffman, Lance, 323
Hoffman, Rodney, 328
Holbrook, Paul, 321
Horning, James, 310
BRAVO, 206
Electra, 221
Grapevine, 215
Star Wars, 214
Horsfall, Dave, 164
Hubble Space Telescope, 204
Huth, Mark, 324
Hyphenation risks, 192
flaws, 106
universal, 199
IFF transponder, 36
Ilieve, Peter, 322
Illuminatus, unnamed, 326
Implementation, 346
failures due to, 262
sometimes an afterthought, 236
use of higher-level languages, 225
Inaction, 113
Incremental closure, following system changes, 239
Indian Airlines, 45
Inference, 112
on page fault activity, 109
salary example, 179
Information hiding, 240
lack of, 107
Information superhighway, 299
questions, 302
INFOSEC, 346
Inheritance, 235
Initialization
flaws, 106
in programming, 236
loss of, in communications, 211
problems, 132-180
Intel 486 flaw, 93
Intelsat 6, 24
Intent of misuse, 126
confused in policies and laws, 99
Intentional misuse, 126
Interfaces, 206-209
affecting Japanese robots, 65, 162
Atlas-Centaur, 159
automobile microprocessors, 162
Black Hawk, 158
Challenger communications, 159
clocks, 162
examples, 158
garage doors, 161
hospital alarms, 71
hospital ICU, 161
Johnny Carson, 162
kills miner, 160
McDonald’s clocks, 160
miscellaneous cases, 163
nuclear power, 161
scoreboard clock, 163
Sheffield, 158
Skylab, 159
tape drives, 162
theater
A Chorus Line, 161
Sunset Boulevard, 162
Tomahawk, 158
Internet, 346
Internet Worm, 106, 107, 127, 211
Irland, Edwin A., 215
Isolation, 240
ITSEC, 346
Jackson, Shirley, 195
Jaffe, Matt
Aegis, 35
Jail problems, 174-176
Jalali, Caveh, 215
Johnson, Deborah, 330
Johnson, Jeff, 182
Jones, Douglas W., 91
Jones, Shirley (both), 196
Jung, Carl G., 203
Jurassic Park, 142
Kamens, Jonathan, 215
Karger, Paul, 242
Keefe, Bill, 320
Kegel, Ted, 149
Keys
private, 347
public, 348
shared, 349
Kipling, Rudyard
The Iron Ring, 282
Klein, Dan, 163
Klossner, Andrew, 175
Korean Air Lines 007, 47
Lack, G.M., 90
Ladkin, Peter, 46
Laing, R.D., 294
Lamport, Leslie, 209
Buridan’s Ass, 39
Lampson, Butler
distributed system authentication, 325
reliable memory protection, 323
Landau, Susan, 188
Landsat 6, 30
Lanford, W.A., 159
Lauda Air 767, 44
Lauffenberger, Michael John, 139
Laws, 275
Layering, 240
Clark-Wilson applications, 242
Leading Edge, 141
Leap-year problems, 90
Least common mechanism, 240
Lee, T.M.P., 242
Lehenbauer, Karl, 26
Les Miserables, shutdown, 157
Letter bombs, 346
Letterman, Art, 183
Leveson, Nancy G.
Crystal River reactor, 321
Pacemaker, 71
Safeware, 316
software safety, 329
Therac-25, 68
Levine, Leonard P.
Computer Privacy Digest, 315
Lewis, Anthony, 264
Lewis, Donald R., 139
Leyland, Paul, 324
Library shutdowns, 158
Lightning
launches rockets, 160
strikes twice, 160
Logic flaws, 108
Login
trapdoor, 110
universal, 110
London Ambulance Service, 72
London Stock Exchange Taurus, 216
Londono, William, 174
Lotus Marketplace, 182
Lufthansa, 46
Ma, Yo-Yo, 142
MacInTax, 191
Maintenance
failures due to, 262
needs, 238
security implications, 239
Management
of developments, 238
of system build, 238
Mander, Jerry
aphorisms, 304
Failure of Technology, 316
Television, 301
Markoff, John, 323
Mars Observer, 29
Marshall, Lindsay, 163
Martens, Wilfried, 186
Masquerading, 113
Massey, Walter, 277
Master-password trapdoor, 115, 237
MasterNet, 216
Mayer, Ken, 78
Mazlov, Anatoly, 78
McLeod, John, 88
McMahon, James, 140
Mediation, 346
Medical information, erroneous, 71
Mercuri, Rebecca, 325
trust, 264
virtual reality, 221
Mercury, 237
monkey business, 288
reentry, 21
Message digesting, 346
Michaelson, George, 319
Michelangelo virus, 141
Mills, Harlan, 331
Minow, Martin, 159
Misrepresentation, 113
Missiles, aiming problems, 38
Misuse
accidental, 126
of acquired rights, 105
by authorized users, 214
bypass of authorization, 100
deferred, 100
eavesdropping, 100
external, 112
of hardware, 113
interference, 100
of maintenance facilities, 128
masquerading, 100
penetrations, 214
pest programs, 100
techniques
unintentional, 144-145
Mitnick, Kevin, 136
MLI, 346, 347. See also Multilevel integrity
MLS, 346, 347. See also Multilevel security
Modeling, 219
failures due to, 262
Models, 346
Modula-2+, 236
Modula-3, 236
object-oriented, 237
Molenaar, Paul, 325
Monitor burnout, 158
Monkey
in 747 cockpit, 288
Cosmos, 288
Mercury-Atlas, 288
Moore, Edward F., 329
Morris, Bob
interconnectivity, 299
Morris, Noel, CTSS, 155
Morris, Robert Tappan, 133
Motor vehicle database misuse, 184
Mullender, Sape, 325
Multics, 347
access control, 99
Multilevel integrity, 225, 226, 243
property, 243
TCB, 243
Multilevel security, 225, 226, 240
property, 240
TCB, 243
Multiprocessing, 104
Mumford, Lewis, 305
Murray, W.H., 215
Mutual authentication, 212
n-version programming, 124
Nader, Ralph
Collision Course, 316
Nagle, John B., 158
Naming
aliases, 107
in correspondence, 198
flaws, 107
problems, 194-200
spoofing, 110
National Crime Information Center (NCIC), 182
National Information Infrastructure, 299
National Institute of Standards and Technology (NIST), 331
Nationwide Electronic Tracking, 185
Navratilova, Martina, 132
NCSC, 347
Nelson, Rep. William, 22
Network
virtualized, 241
weaving, 113
Neumann, Helen K., 285
Nike Orion, 28
Nilsson, Erik, 183
Noncompromisibility, 347
of TCBs, 240
Nondeterminism in critical race conditions, 107
Nontamperability, 347
NORAD
false alerts, 38
software modernization, 218
Norman, Donald A., 330
naming, 198
North, Oliver, 186
Northwest Airlines crash, 44, 220, 266
Nuclear power
9-Mile Point, 82
Bruce, 81
Chernobyl, 77
Crystal River, FL, 80
French, 81
Grenoble, 81
interference, 161
Lithuania, 82
NRC regulations, 78
simulation, 79
Sizewell B, 80
Soviet Navy submarine problems, 76
Soviet Union, 78
summary of early cases, 74
United Kingdom, 81
Nuclear submarines
Soviet Navy problems, 76
O’Connor, Ann Marie, 196
O’Connor, Anne Marie, 196
Object-oriented paradigm, 235, 237
abstraction, 235
encapsulation, 235
inheritance, 235
MLS databases, 237
polymorphism, 235
Objects, abstract, 242
Oklahoma compensation system, 217
Olympic Stadium roof tears, 62
hangup flaw, 107
Operation, anticipated in design, 238
OPSEC, 347
Optimization, 213
effects on code-spec consistency, 237
effects on requirements, 241
Orange Book, 347
Osgood, Charles, 195
Osprey, 37
Ozols, Aldis, 279
Ozone layer
data lost, 289
Pace, Alan Scott, 165
Page, Stephen, 319
Papert, Seymour, 331
Parker, Donn B.
computer crime, 323
ethics, 330
Parnas, David L.
documentation, 240
hierarchies, 240
specification, 240
Parnas, Lillian Chik, 188
Passwords
bypassed by trapdoors, 109
compromise by compiler Trojan horse, 115
derivation, 109
encrypted in Unix, 109, 127, 133
file unprotected against writing, 110
flaws in mechanisms, 108
guessable, 108
nonatomic checking, 110
unencrypted, 109
universal, 109
Paul, James H., 328
Penetration of telephone network controls, 129
Pentagon DP system upgrade, 217
People, failures due to, 262
Pereira, Fernando, 317
Performance, very high, 213
Normal Accidents, 316
Personal identification numbers, 165
Peterson, Ivars, 316
Petroski, Henry, 263, 269, 297, 316
Pfleeger, Charles, 325
Phaedrus, 285
Philhower, Robert, 297
Pig-Farm spoof, 146
Piggybacking, 113
in TENEX, 107
of up-links, 128
Pinkerton scammed, 167
PINs, see Personal identification numbers
Pirate TV, 153
Pirsig, Robert M., 285
Pistritto, Joe, 320
Playbacks, 113
Playboy channel interruptus, 154
Policy, 347
Pollyanna attitude, 296
Polymorphism, 235
Popp, Joseph, 141
Power problems, 74-85
Chicago flood, 84
earthquake side-effects, 83
Northeast U.S. blackout, 83
Ottawa blackout, 83
raccoon, Utah, 85
squirrel, 84
summary, 86
West coast blackout, 83
Principles
of design, 240
object-oriented, 235
for software engineering, 244
Prison problems, 174-176
Privacy
enforcement, 188-189
needs for, 181-183
problems, 181-202
summary of problems, 201
violations, 183-188
Privacy Digests, 315
Private keys, 347
Privileges
exceptions to, in requirements, 234
mishandling of exceptions, 238
separation of, 225
Process, 348
daemon, 212
Proctor & Gamble, 187
Programming languages
choice, 236
discipline in use, 236
Promiscuous mode in Ethernet, 211
Propagation of access rights, 99
Protocols
communication, 235
synchronization, 235
Proxmire, Senator William, 264
Public keys, 348
Public-key encryption
for authentication, 111
for key distribution, 212
Puget Sound ferry system, 58
Quayle, Dan, 186
Queen Elizabeth II hits shoal, 58
Race conditions
critical, 108
noncritical, 108
effects, 71
overdoses
Sagitar-35, 70
Therac-25, 68
underdoses, 70
Railroad problems, 50-57
BART outages, 54
Berlin, 51
British Rail
leaves on track, 54
Severn Tunnel, 54
signaling bug, 52
Canada, 51
Chinese accident, 51
Japan, 51
London
Cannon Street, 52
Clapham Junction, 52
Docklands Light Railway, 52
Island Gardens, 52
London Underground
doors remain open, 53
driverless, 53
man caught in door, 53
wrong-way train, 53
San Francisco Muni Metro
crash, 55
Southern Pacific, 51
summary, 57
Sydney monorail outage, 56
train rolls 25 miles, 54
Randolph, General Bernard, 218
Ranzenbach, Edward, 161
Ravin, Ed, 87
Reagan, Ronald
plane interferes, 161
SDI, 264
Real-time
auditing, 213
programming languages
Estelle, 236
Euclid, 236
Reconfiguration
flaws introduced, 106
security risks, 239
Recovery, 213
backward, 228
forward, 228
Red Book, 348
Redundancy
dual, 328
inadequate, 211
TMR with voting, 328
Reference monitors, 348
Reid, Steven (both), 195
Reinsurance loop, 288
Reliability, 2
problems, 12-95
techniques, 227-231
Remote procedure calls, 240
Replay attacks, 211
Replication, virtualized, 241
Requirements, 348
critical, 3
definition of, 233
failures due to, 262
Residues, 106
examples, 145
Resources
misuse, 111-112
virtualized, 240
Restaurant computers, 193
Richmond utility system, 216
RISC, 117
Rising Sun, 142
analysis, 255-257
assessment, 294-296
effects, 7
in the information infrastructure, 299
inherent in technology, 304
numerical summary, 309
sources, 5
Risks Forum
dates of volumes, 313
information, 314
Rivest, Ron, 331
Rivest-Shamir-Adleman (RSA) algorithm, 254, 348
attacks, 114
Roberson, Walter, 320
Robertson, Joseph O., 194
Robichaux, Paul, 317
Robotics
accidents, 64-67
Budd Company, 67
Connie Chung disappears, 66
deaths in Japan, 65
die-caster killed in Michigan, 65
electrician killed, 66
hospital aide stumbles, 66
Mt. Erebus exploration, 67
safety, 64-67
incidents, 66
system problems, summary, 67
waiter runs amok, 66
Rogan, Terry Dean, 194
Roller-coaster problems, 56, 163
Rose Bowl spoof, 149
Rose, Leonard, 135
Rosen, Eric
1980 ARPAnet collapse, 13
Rotenberg, Marc
privacy, 181
RPCs, see Remote procedure calls
RSA, see Rivest-Shamir-Adleman algorithm
rsh, 110
Rumrill, Clinton, 195
SAC, 38
control systems, 60-67
medical problems, 68-73
summary, 73
problems, 12-95
robotic systems, 64-67
Salt Lake City
roof collapse, 221
Sandza, Richard, 137
Satellite Tracking Control Facility, 218
Scavenging
logical, 113
physical, 113
Schach, Stephen R., 329
Scorpion, 38
Secrecy, 96
Secret keys, 348
cryptosystem, 348
problems, 132-180
summary, 177
vulnerabilities, 96-119
Seeley, Donn, 320
Seldon, Hari, psychohistory, 257
SEN, see Software Engineering Notes
sendmail debug option, 106, 127, 133, 211
Seneca, 261
Separation
of concerns, 240
Sequencing flaws, 107
Servers
authentication, 212
distributed authentication problems, 111
problems, 212
file, 210
Shafer, Mary, 193
Shannon, Claude E., 329
Shared keys, 349
Sheffield jammed, 158
Shimomura, Tsutomu, 91
Ship
ballast-tank control problem, 59
problems, 58-60
summary, 60
runs into a reef, 59
Shockley, William, 242
Shuttle
41-G (Challenger) communications, 159
51-D (Discovery) landing gear, 124
Atlantis
STS-30 repairs, 23
STS-36 launch delay, 24
Challenger
41-G communications, 159
STS-6 software flaw, 21
STS-25 explosion, 23
Columbia
STS-1 synchronization, 20, 237, 295, 298
STS-2 abort bug, 219
STS-55 valve, 25
STS-58 glitch, 25
Discovery
51-D landing gear, 124
STS-18 laser experiment, 206, 299
STS-20 backup, 22
STS-26 software exposure, 144
STS-41 error, 24
STS-56 sensor, 24
Endeavour
STS-61 Hubble repairs, 204
redundancy in, 328
Sicherman, George, 320
Siege, Scott, 193
Signatures, digital, 349
Simon, Gregory C., 328
Simons, Barbara, 302
Simpson, Homer, 186
Simula, 237
Simulation, 219-221
failures due to, 262
SKIPJACK encryption algorithm, 187, 280
Sklar, Richard, 195
Skylab, 159
Slone, Tom, 67
Smalltalk, 237
Smart cards, 349
Smith, Jennifer, 325
Social responsibility, 276-278
Software engineering, 231-242
benefits, 240
practice, 232-242
principles, 240
view of Clark-Wilson, 242
RISKS archives, 308
table of issue numbers, 313
Sommer, Judi, 190
Sorber, Russell, 282
Soyuz, 26
Space problems, 19-33
summary, 32
Spafford, Eugene
ethics, 273
spoofed, 146
technoterrorism, 215
Specification, 349
Speech recognition, 207
Speierman, Kermith, 299
Spelling corrector risks, 192
of E-mail, 145
with masquerading, 106
of network controls, 129
of satellite TV, 153
of up-links, 128
used defensively, 153
Cadsoft, 153
Continental Cablevision, 153
Sprite, file server recovery, 328
Spy taps, 113
Spying, 112
Squirrel
Providence power surge, 84
SRI power outages, 84
Star Wars (SDI), 31, 215, 233, 267, 295
Starman, Faye, 191
Stars and Stripes simulation glitch, 221
State machine, 349
States, 349
Stevens, Ray Todd, 172
Stokes, Don, 88
Stoll, Cliff, Wily Hackers, 134
Stoned III virus, 141
Stopera doors fail, 157
Stossier, Sheila Jackson, 195
Stover, Teresa, 196
Strassmann, Steve, 322
Stress problems, 71
Strigini, Lorenzo, 173
Strip-mining violators, 217
Stroud, Robert, 157
Subjects, partially trusted, 243
Submarine
hits trawler, 59
Scorpion, 38
Soviet nuclear problems, 76
Thresher, 318
Subversion, 349
Sun SPARC division flaw, 116
Sunset Boulevard sets move, 162
Sunspots affect Quebec, 161
Superuser misuse, 111
Surrogate for a user, 211
Survivability, 97
Swasy, Alecia, 187
Systems, 349
design, 234
development problems, 6
engineering, 232-242
operational problems, 6
view of risks, 257-259
viewpoint, 203-206
Tampering, 350
Tandem
CLX clocks, 88
NonStop systems, 328
Tanenbaum, Andrew S., 329
Taurus (London Stock Exchange), 216
Taylor, James Edward (both), 196
TCB, see Trusted computing base
TCSEC, see Trusted Computer Security Evaluation Criteria
Technology, risks in, 304-306
ATC problems, 17
backup battery, 16
cable cuts
Chicago, 15
New York, 16
Sprint fiber-optic, 16
Virginia, 16
clock problem, 16
fraud, 135
cellular, 136
recovery bug, 15
SS-7 bug, 16
TENEX, 350
hangup flaw, 107
password flaw, 109
term, 88
Terminals
physically controlled, 117
Termination flaws, 106
Terminus, 135
Testing, failures due to, 262
Theater
interference
A Chorus Line, 161
Sunset Boulevard, 162
shutdowns
Grind, 157
Les Miserables, 157
The Who’s Tommy, 157
Therac-25, 68
misplaced trust, 266
nonatomic transactions, 208
Thompson, Kenneth L.
C-compiler Trojan horse, 110, 248
Turing Address, 172
covert channels, 129
general, 210
in telephone switching, 127
Three Mile Island
indicators, 267
Time-of-check to time-of-use, 108
Timeliness, 97
Titan III
34-D loss, 28
Intelsat 6 launch, 24
Tobis, Michael, 304
TOCTTOU, see Time-of-check to time-of-use
Token authenticators, 350
Tomahawk, 158
Tomblin, Paul, 282
Topaz, 124
Tornado (fighter), 37
Toronto SkyDome, roof problem, 62
Toronto Stock Exchange, 122
Toxic leak, Union Carbide, 61
Tozer, Graeme, 319
Traffic analysis, 112
Transactions
atomic, 108
in Clark-Wilson, 242
nonatomic, 208
in access control, 105
bypassing passwords, 109
in memory reads, 109
Trojan horses, 103, 129, 211, 350
Trout, Michael, 319
Truesdell, Clifford, 331
engineering, 238
in people, 263
in systems, 263
misplaced, 265
Trusted Computer Security Evaluation Criteria (TCSEC), 233, 350
Trusted computing base, 226, 350
and software engineering, 240
Trusted guards, 350
Trusted systems, 350
of people, 210
of systems, 210
TRW credit privacy violations, 187
Ts’o, Theodore, 281
Tseng, Jymmi C., 51
Turner, Clark
Therac-25, 68
Two-phase commits, 328
Unexpected events, 286-291
Union Carbide, toxic leak, 61
Berkeley, 127
Untrustworthiness, 210
of communications, 211
of systems, 210
of users, 211
Upward, Antony, 321
User surrogates, 211
Vaccines, 350
Validation flaws, 107
Values, 273-276
van Beek, Piet, 320
van der Meulen, Meine, 320
van Oostrum, Piet, 157
van Vleck, Tom, CTSS, 155
van Wyk, Ken, VIRUS-L, 315
Vietnam Memorial, 190
Viking, 29
Virginia child-support system, 216
Virtualization, 225
of concurrency, 241
impact of, 244
of locations, 240
of networking, 241
of recovery, 241
of remoteness, 241
of replication, 241
of resources, 240
of transactions, 241
VIRUS-L Digest, 315
personal-computer, 105, 140, 323
polymorphic, 140
stealth, 140
strict-sense, 104
Voges, Udo, 170
Volkswagen fraud, 165
von Neumann, John, 329
von Rospach, Chuq (Spafford spoof), 146
Voting
challenges, 259
constraints, 243-253
errors, 171
fraud, 172
risks, 171-174
avoidance of, 117-118
master-password attack, 115
in password mechanisms, 108
security, 98-103
Trojan horse attack, 115
WAIS, see Wide Area Information Server
Wallet blows out train window, 291
Wallops Island rockets, 160
Ware, Willis, 181
WarGames, 264
Water mains rupture in Fresno, 63
Waterfall model, 218
DC-10 alarm power, 266
effects on development, 232
erroneous assumptions, 241
multiple, 130
in security and reliability, 117
Weatherley, Rhys, 90
Webber, Sir Anthony Lloyd, 162
Weber-Wulff, Debora, 52, 89, 322
Weingarten, Rick, 276
Weinstein, Lauren
Privacy Forum Digest, 315
RISKS by FAX, 314
Weinstock, Chuck, 158
Weisman, Bill, 325
Weissman, Clark, 280
Whitcomb, Coralee, 182
Whitehead, Alfred North, 221
Whiteley, Nicholas, 135
Whole Earth Review
on technology, 331
Wide Area Information Server, 314
Wiederhold, Gio, 324
Wiener, Lauren, 316
Williams, Ted, 149
Wittman, Richard G., 135
Wollongong misuse, 135
World-Wide Military Command and Control Systems (WWMCCS)
false alarms, 38
attacks, 351
constructive, 104
Shoch-Hupp, 104
Internet, 211. See also Internet Worm
malicious, 104
Wright, Gary, 319
Yellow Book, 351
Ziegler, J.F., 159
Zinn, Herbert, 136