precedence: bulk Subject: Risks Digest 21.11 RISKS-LIST: Risks-Forum Digest Weds 8 November 2000 Volume 21 : Issue 11 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: [Another election special edition] Did a human factors problem affect the U.S. presidential election? (Steve Bellovin) More on Florida in this and previous elections (PGN) E-voting as a panacea for Florida count? (Jeremy Epstein) CNN: E-voting could have prevented U.S. election chaos (Evan McLain) "REALITY RESET": "Hacking the Vote" (Lauren Weinstein) Web sites report exit poll results before networks do (NewsScan) Political dirty tricks, cyber-style (NewsScan) Vote auction Web site moves operations overseas (NewsScan) UK air-traffic control problems (PGN) Indianapolis FAA route center running on generators for a week (Nathan Brindle) Raccoon power outage over the weekend (Dan Ellis) Researchers able to defeat digital music security measures (NewsScan) Verisign and MS authenticode (Carl Byington) Microsoft Web site vandalized (NewsScan) The latest in anti-spam technology (Greg Compestine) Re: EMI, etc. (Pete Mellor) 2001 USENIX Annual Technical Conference - Call For Papers (Andrea Galleni) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 08 Nov 2000 14:15:47 -0500 From: Steve Bellovin Subject: Did a human factors problem affect the U.S. presidential election? The outcome of the U.S. Presidential election may have been determined by poor human factors in a computerized vote-casting system. As of this writing (early afternoon on Wednesday), Bush and Gore are separated by less than 1800 votes (.03%) in Florida. Due to the arcana of U.S. election law, whoever carries Florida at this point will win the overall election. And there's a problem in one county that may have resulted in ~3000 votes that were intended for Gore in fact being cast for Buchanan, a minor party candidate. Palm Beach County uses a punch-card voting system. Because of the layout of the names relative to the holes and the buttons to punch those holes, it was apparently easy to get confused about how to vote for Gore. Apart from all the calls to the election board by confused voters, there is circumstantial evidence from the actual tally: Buchanan drew 3407 votes in this county, more than anywhere else in the state, and considerably at variance with both the usual demographics (this county is heavily Democratic, and would be expected to vote for Gore) and with the number of votes Buchanan received in similar, neighboring, larger counties (789 in Broward; 561 in Miami-Dade County). The director of the state Department of Elections doesn't think there's a problem -- but he was appointed by Jeb Bush, governor of Florida and brother of the Republican presidential candidate... --Steve Bellovin ------------------------------ Date: Wed, 08 Nov 2000 16:17:09 PST From: "Peter G. Neumann" Subject: More on Florida in this and previous elections In addition to the Palm Beach County curiosity noted by Steve Bellovin, a heavily loaded ballot lock box was found today in a heavily Democratic precinct. I don't think this is what Al Gore meant by a "Lock Box on (Social) Security." For some historical perspective, we might recall the 1988 election in Florida, in which there were 200,000 fewer votes for the Senate race than for the presidential candidates, and the remarkable anomaly was mostly only in four counties administered by a particular computer system vendor. The declared winner was Connie Mack, who has just retired, 12 years later. See *The New York Times*, 12 Nov 1988, and RISKS-7.78. And then there was the St Petersburg city election in March 1993 in which 1429 votes were recorded for the incumbent mayor tabulated under an industrial precinct that had ZERO voters, where the mayor won the election by 1425 votes. Fuzzy math strikes again? See Rebecca Mercuri, Corrupted Polling, Inside Risks, *Communications of the ACM*, vol 36 no 11, Nov 1993, p.122, on her Web site at http://www.seas.upenn.edu/~mercuri/mynewhome/Papers/corrpoll.html I would not trust a computerized voting system even if I had written it myself, because of the many ways in which such systems can be subverted. (Last night's events will undoubtedly slow down the final wrapup of Rebecca's PhD thesis noted in RISKS-21.10, because there is more potential grist for her mill -- not just in Florida, but in other states as well.) PGN] ------------------------------ Date: Wed, 8 Nov 2000 15:28:02 -0500 From: "Jeremy Epstein" Subject: E-voting as a panacea for Florida count? http://www.cnn.com/2000/TECH/computing/11/08/e.voting.no.gamble.idg/index.html An article on CNN.com quotes "experts" as saying that the problems getting an accurate vote could have been avoided if everyone used electronic vote counting technology. [Note: not online voting... just electronic voting machines.] The article says in part "'Of course you would have 100 percent accuracy with electronic voting. That would prevent the necessity of a recount,' said Hans van Wijk, who markets electronic voting systems for Groenlo, Netherlands-based Nedap. In the Netherlands, some 80 percent of precincts use e-voting, he said." As has been discussed numerous times in RISKS (including yesterday in RISKS-21.10), electronic counting is certainly not 100% accurate. But if this is what the public thinks of electronic counting, will there be the same naive expectations about accuracy of online voting? The article talks about that too (quoting someone from Baltimore Technologies as saying "Online voting would not only dramatically reduce the count time but also ensure a more reliable initial result"). There is an acknowledgement that online voting has its own dangers, noting the risks of accurate identification of users, denial of service, and malicious attacks. No recognition though of the risks of just plain malfunctioning software, though. Gotta go. All this gore-y discussion of a recount in Florida has me bush-ed. --Jeremy [For those of you who have not seen it, PLEASE read the People For Internet Responsibility Statement on Internet Voting: http://www.pfir.org/statements/voting PGN] ------------------------------ Date: Wed, 8 Nov 2000 19:43:29 -0000 From: McLain Evan M CPT Subject: CNN: E-voting could have prevented U.S. election chaos CNN's story about voting technology, on-line and otherwise: http://www.cnn.com/2000/TECH/computing/11/08/e.voting.no.gamble.idg/index.html An interesting quote from the article: "But Dublin-based electronic security company Baltimore Technologies said reliability is no problem. "Online voting would not only dramatically reduce the count time but also ensure a more reliable initial result," said a spokeswoman. She added that online voting would help older, ill, and disabled voters to take part in the polls." RISKS readers will be happy to see there is also a discussion of potential fraud and security risks. Evan McLain ------------------------------ Date: Wed, 8 Nov 2000 12:46:51 -0800 (PST) From: reality@vortex.com ("Reality Reset") Subject: "REALITY RESET": "Hacking the Vote" "REALITY RESET" http://www.vortex.com/reality by Lauren Weinstein (lauren@vortex.com) November 8, 2000 Today's Edition: "Hacking the Vote" http://www.vortex.com/reality/2000-11-08 To subscribe or unsubscribe to/from this list, please send the command "subscribe" or "unsubscribe" respectively (without the quotes) in the body of an e-mail to "reality-request@vortex.com". "Hacking the Vote" (November 8, 2000) "If they'd been listening to me all along, all of this election confusion could have been avoided," said Paddy Mastoid. Paddy is the president of trust-us-not-to-badly-screw-up-your-vote.com, a firm promoting Internet voting systems. I found 12 messages from him on my voicemail this morning, as the nation awoke to the bizarre aftermath of election day, with a historically close election still undecided and the U.S. population swinging slowly in the wind. "Look at this mess," said Paddy. "Now they have to re-count all those votes in Florida, there are concerns over voting irregularities down there, and we might well end up with a President who didn't even win the popular vote! Talk about not having a mandate. And I could have prevented all of this hassle!" "How so?" I asked. "Basically, our plan is to eliminate all those long lines at those obsolete polling places. We want to toss the antiquated paper ballots, punch cards, and mechanical voting machines out the window. We'll let people vote online using the same home and office PCs that they already use for accessing offshore gambling sites and downloading porn." "Hmmm. Sounds like a tempting goal, but aren't you worried about security, reliability, all that sort of stuff?" I asked. "Hey, we didn't just fall off the turnip truck. We're using secure, redundant Web servers, so your vote will be just as safe as your credit card numbers during online purchases," said Paddy. "You're happy buying things online, aren't you?" "Well, no, not really, not with all of the security breaches at sites that were supposed to be secure, and their compromising of personal information. I realize that things can go wrong with old-style voting systems, especially if they're set up badly, but at least with them it's usually possible to do various forms of meaningful re-counting when there's a question about an election's validity." "But that's my whole point!" said Paddy. "Look at all the trouble being caused by even being *able* to do a physical re-count. Wouldn't it be better to have a nice, computerized system where all the votes are electronic and stored safely in computers where nobody but programmers, system administrators, and top election officials can screw around with them? You don't think any of those guys would mess things up do you? When it's all in the computer, you don't have any *choice* but to trust the computer! You can't really re-count so there'd be no point to complaining. Problem solved!" "Hmmm. What about hackers? If these systems are on the Internet, they'd seem just as vulnerable to attack and manipulation as any other so-called secure sites." "Not to worry!" said Paddy. "We ran a contest and invited hackers to crack our demonstration system. Five people tried and the only guy who got in was a 12 year old kid in West Palm Beach, and he promised cross-his-heart not to tell anyone how after we gave him a DVD player! No problem there." "But why would most hackers even want to tip their hands by playing with your demo sites? Wouldn't the real pros just wait until a real election and then flood your servers with garbage to block real voters out? Couldn't they plant surprises in unrelated downloads that could hide on people's PCs for months or years before being activated on election day to disrupt or manipulate the voting process? There's really no way to secure the typical operating systems that most people have on their home or office computers from those sorts of attacks," I said. "Picky, picky, picky!" said Paddy. "I say let's just deploy these Internet voting systems now and keep the people happy. If these hypothetical hackers you're talking about are really that good, we probably wouldn't even realize that they'd been screwing around with the election anyway. Ignorance can be bliss. And that would sure be preferable to all the hassles they're having in Florida today!" "I really don't think that's necessarily true ..." "And at least we wouldn't have network TV anchors getting punchy from being up all night!" said Paddy. "You do have a point about that," I said. "I knew that I could convince you, Lauren." --Lauren-- Lauren Weinstein, lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Copyright 2000 by Vortex Technology. All rights reserved. This item may be freely redistributed so long as it is complete and includes this notice. ------------------------------ Date: Wed, 08 Nov 2000 09:12:36 -0700 From: "NewsScan" Subject: Web sites report exit poll results before networks do Whereas mainstream news organizations were bound by self-imposed rules preventing them from releasing state exit poll results before the polls closed, a number of politically oriented Web sites leaked the results as soon as they were available. Voter News Service (VNS), the consortium of news organizations that conducted the exit polls, is threatening to bring legal action against the sites that leaked early results, including DrudgeReport.com and Inside.com -- which, however, indicated that they obtained the information not from VNS but from unidentified sources. Inside.com editor Michael Hirschorn said that he had received e-mail leaks from dozens of mainstream journalists, and that the public have as much right to know that kind of information as journalists do. He added: "The genie is out of the bottle, and it's wishful thinking that you could put it back in. Once this information is out, thanks to e-mail and the Internet, it becomes incredibly easy to distribute." [AP/*San Jose Mercury News*, 7 Nov 2000 http://www.mercurycenter.com/svtech/news/breaking/ap/docs/606384l.htm; NewsScan Daily, 8 Nov 2000] ------------------------------ Date: Wed, 08 Nov 2000 09:12:36 -0700 From: "NewsScan" Subject: Political dirty tricks, cyber-style In the closing hours of the election campaign the site of the Republican National Committee (RNC) was vandalized by hackers who urged visitors to vote for Gore. The Democratic National Committee (DNC) denied it had any connection to the act of vandalism, and said intruders had forced the shut-down of the DNC's external e-mail system. [AP/*USA Today*, 7 Nov 2000 http://www.usatoday.com/life/cyber/tech/cti782.htm; NewsScan Daily, 8 Nov 2000] ------------------------------ Date: Thu, 26 Oct 2000 09:44:02 -0700 From: "NewsScan" Subject: Vote auction Web site moves operations overseas A Web site offering to sell 21,000 votes for President to the highest bidder has changed its domain name and transferred its registration to a company based in Germany. The www.vote-auction.com site asks visitors to fill out personal details and then offers to sell the votes in blocks broken down by state. The goal, according to the Web site, is to bring "the big money of campaigns directly to the voting public," but the owners, who are Austrian, say they still need to work out the details of how everyone would get paid, and how to verify that they cast the right ballot. The site has been criticized by election officials in Michigan, New York and other states, but as of its reopening this week, more than 2,500 California voters had offered their votes and the leading bid was $48,000, or $19.61 per vote. In August, six people offering to sell their votes for President drew bids as high as $10,000 on eBay before the online auctioneer shut them down. [AP 25 Oct 2000 http://news.excite.com/news/ap/001025/20/votes-for-sale ; NewsScan Daily, 26 Oct 2000] ------------------------------ Date: Sat, 04 Nov 2000 20:27:12 From: "Peter G. Neumann" Subject: UK air-traffic control problems If you are interested in aviation safety, you might want to check out http://www.pprune.org, click on "Forums", and then "rumors and news", for a remarkable collection of computer problems related to ATC in the UK. ------------------------------ Date: Tue, 07 Nov 2000 23:45:58 -0500 From: Nathan Brindle Subject: Indianapolis FAA route center running on generators for a week A week later, the FAA route center at Indianapolis is still running on backup generator power ever since a 31 Oct 2000 power outage that "caused flight delays and at least two close encounters between airplanes". The cause of the original outage was still unknown. The route center has 6 diesel generators, three of which are used normally and the other three are for backup. However, after the outage, the diesels fired up, but the main radar could not be brought back up. The 70 controllers had to had planes off to other centers. Close calls were reported by a private jet and a USAir flight. Onboard collision avoidance was given credit for avoiding any tragedies. [Source: An article in the *Indianapolis Star*, 7 Nov 2000 (Generators used for flight routing as a precaution, by Terry Horne); PGN-ed] ------------------------------ Date: Mon, 6 Nov 2000 11:19:42 -0800 (PST) From: Dan Ellis Subject: Raccoon power outage over the weekend I received the following e-mail on a Monday afternoon (after the problems had been fixed). Several physical devices had been damaged (network hubs and switches) at UC Santa Barbara making for a very unproductive time for many employees and students and for a very stressful time for facility and system administrators. The point: the weak link will be found and exploited by somebody or something, causing discomfort to us all. Malicious intent is not a prerequisite. Dan Ellis, PhD student, UCSB, ellisd@cs.ucsb.edu (805) 893-4394 > Date: Mon, 06 Nov 2000 08:33:55 -0800 > From: dragon@ece.ucsb.edu > To: coe-notify@engineering.ucsb.edu, all-grad@engineering.ucsb.edu > Subject: power outage over the weekend > Information only -- > A bit after midnight Friday/Saturday, a raccoon strolled into the power > substation that serves this end of campus and got across a transformer > that takes the 16kV line down to 4160VAC. The raccoon paid the price for > this, and he is now merely a warning example of how fragile our power > infrastructure can be. > However, various buildings on campus also paid a price, as all power on > the "A" feeder was off line for nearly two hours. > Some functions in some buildings had not been restored by this morning, > however, including HVAC and equipment chilled water in Engineering 1. > Almost all this equipment is now back in operation. You may wish to check > computers and process controllers to determine if harm was done during > this outage. [A Rocky Raccoon gets added to the long list of Reubened Mammalians. Must have been Raccoonoitering. After all, it was noit toim, even if not Down Under! PGN] ------------------------------ Date: Tue, 24 Oct 2000 08:17:09 -0700 From: "NewsScan" Subject: Researchers able to defeat digital music security measures A team of computer scientists at Princeton and Rice Universities and the Xerox Palo Alto Research Center (PARC) has been able to remove the invisible "watermarks" used by the 200-company Secure Digital Media Initiative (SDMI) to protect digital music files from pirates. SDMI had offered a prize [RISKS-21.05] to anyone who could defeat its various security measures, four out six of which make use of watermarks. SDMI's Tala Shamoon said, "I expected some would have fallen. This is part of an empirical process to get the best technology." [AP/MSNBC 24 Oct 2000; http://www.msnbc.com/news/480521.asp NewsScan Daily, 24 Oct 2000] ------------------------------ Date: Mon, 23 Oct 2000 13:04:59 -0700 From: Carl Byington Subject: Verisign and MS authenticode MS has an authenticode mechanism that allows publishers to digitally sign their code using certificates from Verisign. The code is signed via a MS program (signcode) with "-t http://timestamp.verisign.com/scripts/timstamp.dll" as an option. The Verisign stuff is suppose to properly timestamp the signature, but their clock is very wrong!! I did the signature at 12:42, and the .exe now has a new modification timestamp of 12:42, but the certificate claims it was signed at 12:46. So we cannot really believe the times in any of these Verisign certificates. http://www.five-ten-sg.com ------------------------------ Date: Fri, 27 Oct 2000 09:00:30 -0700 From: "NewsScan" Subject: Microsoft Web site vandalized Microsoft's internal computer network was invaded by "trojan horse" software that caused company passwords to be sent to an e-mail address in St. Petersburg, Russia. Calling the act "a deplorable act of industrial espionage," Microsoft would not say whether or not the hackers may have gotten hold of any Microsoft source code. [AP/*The New York Times*, 27 Oct 2000 http://partners.nytimes.com/2000/10/27/technology/27WIRE-MSHACK.html; NewsScan Daily, 27 October 2000] [The following issue of NewsScan on 31 Oct 2000 (Hallowe'en!) noted Microsoft says the attack lasted only 12 days instead of the 5 weeks reported earlier, and no major corporate secrets were stolen. PGN] ------------------------------ Date: Mon, 6 Nov 2000 08:27:47 -0800 From: "Greg C" Subject: The latest in anti-spam technology This morning I received a spam item that originated in a yahoo account. Yahoo seems to be pretty good at responding to spam, so I forwarded a report to them. I noticed in the body of the email that there was the quasi-traditional "to unsubscribe send your email address" to an account at myrealmailbox. So I did the obvious and forwarded the spam again to myrealmailbox (after first browsing their Web site trying in vain to find a policy towards spam.) In return I received this reply: >From: abuse@myrealbox.com >To: gmc333@my-deja.com >Subject: Automatic reply >Date: Mon, 06 Nov 2000 09:09:05 +119303947 (MDT) > >Novell and myrealbox.com are not responsible for this >mailing, it has not used our network or e-mail system. Novell >Internet Message System (NIMS) employs some of the most >sophisticated anti-spamming technology in the industry. >The sender fraudulently used myrealbox.com >IDs for replies or opt-out mails. These accounts >never existed or have been terminated. We are committed >to helping to eliminate this type of mail system >abuse. The RISKS? Apparently the technology is so advanced it's learned the art of plausible deniability. There is also the RISK that a human will never find out what I originally complained about and modify the system appropriately. Greg Compestine http://homestead.deja.com/user.gmc333/index.html ------------------------------ Date: Mon, 16 Oct 2000 22:46:01 +0100 (BST) From: Pete Mellor Subject: Re: EMI, etc. (Ladkin, RISKS-21.08) Regarding the enormous convoluted problem of how much EMI is required to cause a spark and hence an explosion in a fuel tank (Re: EMI, TWA 800 and Swissair 111, from Peter B. Ladkin, RISKS-21.08), Andy Weir, in his book "The Tombstone Imperative" made a very simple suggestion: Fill the vacant space above the fuel in the tanks with nitrogen, and any spark, however caused, cannot lead to an explosion. Should not engineers welcome the most simple solution to a problem? Should we not listen to people who are not engineers? Peter Mellor, Centre for Software Reliability, City University, London EC1V 0HB +44 (0)20 7477 8422 Pete Mellor ------------------------------ Date: Thu, 26 Oct 2000 17:28:02 -0700 From: Andrea Galleni Subject: 2001 USENIX Annual Technical Conference - Call For Papers 2001 USENIX Annual Technical Conference Announcement and Call for Papers 25-30 Jun 2001, Marriott Copley Place Hotel Boston, Massachusetts USA http://www.usenix.org/events/usenix01 Sponsored by USENIX, the Advanced Computing Systems Association FREENIX Refereed Track: November 27, 2000 General Session Refereed Track: December 1, 2000 Notification to authors: January 31, 2001 Camera-ready papers due: May 1, 2001. Program Chair: Yoonho Park, IBM Research USENIX Conference Office 2560 9th Street, Suite 215 Berkeley, CA 94710 USA Phone 510-528-8649; Fax 510-548-5738 email: conference@usenix.org ------------------------------ Date: 15 Aug 2000 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ . ==> PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 21.11 ************************