precedence: bulk Subject: Risks Digest 22.25 RISKS-LIST: Risks-Forum Digest Monday 23 September 2002 Volume 22 : Issue 25 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: [Backlogged] Elections In America - Assume Crooks Are In Control (Lynn Landes via Rebecca Mercuri) Re: Florida Primary 2002: Back to the Future (Bob Morrell) Georgia Secretary of State response to Mercuri (Chris Riggall via Donald R. Calabro Jr.) Election idiocy crosses state lines (Mark Richards) Retrospective Karger/Schell paper on Multics Security Evaluation (Steve Summit) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 18 Sep 2002 09:09:35 -0400 From: "Rebecca Mercuri" Subject: Elections In America - Assume Crooks Are In Control, Lynn Landes [Spin Doctors at it again! Rebecca.] Elections In America - Assume Crooks Are In Control Lynn Landes, 16 Sep 2002 Don't blame the poll workers in Florida. The facts, supported by voting machine experts and numerous newspaper articles, have made it clear. Computerized voting machines that were certified by the state of Florida, caused most of the problems in Florida's primary election. In the absence of paper ballots, the damage is now irreversible. This was no accident. It's not new. And Florida is not alone. "The concept is clear, simple, and it works. Computerized voting gives the power of selection, without fear of discovery, to whomever controls the computer," wrote the authors of VoteScam (1992), James & Kenneth Collier (both now deceased). It's a 'must read' book about how elections have been electronically and mechanically rigged in the United States for decades, and with the knowing and sometimes unknowing support of media giants and government officials, including... ironically... Janet Reno. Only a few companies dominate the market for computer voting machines. Alarmingly, under U.S. federal law, no background checks are required on these companies or their employees. Felons and foreigners can, and do, own computer voting machine companies. Voting machine companies demand that clients sign 'proprietary' contracts to protect their trade secrets, which prohibits a thorough inspection of voting machines by outsiders. And, unbelievably, it appears that most election officials don't require paper ballots to back up or audit electronic election results. So far, lawsuits to allow complete access to inspect voting machines, or to require paper ballots so that recounts are possible...have failed. As far as we know, some guy from Russia could be controlling the outcome of computerized elections in the United States. In fact, Vikant Corp., a Chicago-area company owned by Alex Kantarovich, formerly of Minsk, Belorussia (also known as White Russia, formerly U.S.S.R.), supplies the all-important 'control cards' to Election Systems & Software (ES&S), the world's largest election management company, writes reporter Christopher Bollyn. According to ES&S, they have "handled more than 40,000 of the world's most important events and elections. ES&S systems have counted approximately 60% of the U.S. national vote for the past four presidential elections. In the U.S. 2000 general election, ES&S systems counted over 100 million ballots." Getting back to Kantarovich, he would not disclose where the control cards are made, except they aren't made in America, writes Bollyn. Nor would he discuss his previous employment. Bollyn says he got some not-too-thinly-veiled threats from Kantarovich. Kantarovich sounds more like the Russian mafia, than a legitimate businessman. But the really big deal is this....all of ES&S's touch screen machines contain modems, "allowing them to communicate-and be communicated with-while they are in operation," reports Bollyn. That communication capability includes satellites. "Even computers not connected to modems or an electronic network can still be manipulated offsite, not during the election, but certainly before or after," says voting systems expert Dr. Rebecca Mercuri. ES&S supplied the touch screens for Miami-Dade and Broward counties where the worst machine failures occurred. But the debacle was nothing new for ES&S. Associated Press (AP) reporter Jessica Fargen wrote in June 2000, "Venezuela's president and the head of the nation's election board accused ES&S of trying to destabilize the country's electoral process. In the United States, four states have reported problems with equipment supplied by the company. Faulty ES&S machines used in Hawaii's 1998 elections forced that state's first-ever recount." Sequoia is another voting systems company that sends a cold chill down my spine. "Mob ties, bribery, felony convictions, and threats of coercion are visible in the public record of the election services company," according to investigative journalist and filmmaker Daniel Hopsicker, and reported in Spotlight.com. Hopsicker says that Pasquale "Rocco" Ricci, a 65-year-old senior executive with Sequoia, and the firm's Louisiana representative, recently pled guilty to passing out as much as $10 million dollars in bribes over the course of almost an entire decade." According to American Law Education Rights & Taxation (ALERT), Ricci is the president of Sequoia International, which also manufactures casino slot machines. That's just great. Now, we could possibly have both the Russian mafia and the U.S. mafia involved in our elections. In May 2002 Sequoia was bought by De La Rue, based in England. By their own estimate, De La Rue is "the world's largest commercial security printer and papermaker, involved in the production of over 150 national currencies and a wide range of security documents such as travelers checks and vouchers. Employing almost 7,000 people across 31 countries, (De La Rue) is also a leading provider of cash handling equipment and software solutions to banks and retailers worldwide." And they develop technology for secure passports, identity cards, and driver's licenses. Okay, add Dr. Evil to the mix and be on the look-out for international money launderers, drug kingpins, and Nazis. The Shoup Voting Solutions of Quakertown, Pennsylvania, has a reputation for rigging elections, wrote the late co-author of VoteScam, Jim Collier. According to Collier, in 1979, Ransom Shoup II, the president of the firm, was convicted of conspiracy and obstruction of justice stemming from an FBI investigation of a vote-fixing scam involving the old-fashioned lever machines in Philadelphia." These reports are just the tip of the iceberg. The numerous instances of U.S. voting systems error and fraud are documented in a 1988 report for the U.S. Commerce Department entitled, "Accuracy, Integrity, and Security in Computerized Vote-Tallying" by Roy G. Saltman, a computer consultant for the National Institute of Standards and Technology's Computer Systems Laboratory. Many other experts and observers have been warning and complaining about these problems for decades. But complaints, warnings, reports, and books like "VoteScam," haven't deterred government officials like Pinellas County (Florida) Commissioners Calvin Harris and County Judge Patrick Caddell. They told the St. Petersburg Times in October 2001 that they were aware that all of the voting machine companies had "problems in their pasts." But, Harris said, "We have to look at this objectively and not get tied up into the emotions of, 'Some guy might be a crook." Dear Commissioner Harris...when it comes to elections in America...assume crooks are in control...and then act accordingly. Links: a.. http://www.votescam.com b.. http://www.securepoll.com c.. http://www.commondreams.org/views02/0805-07.htm Lynn Landes, 217 S. Jessup Street, Philadelphia, PA 19107 / (215) 629-3553 / (215) 629-1446 (FAX & ISDN) lynnlandes@earthlink.net Lynn Landes is a freelance journalist specializing in environmental issues. She writes a weekly column which is published on her website www.EcoTalk.org and reports environmental news for DUTV in Philadelphia, PA. Lynn's been a radio show host and a regular commentator for a BBC radio program. ------------------------------ Date: Wed, 11 Sep 2002 13:18:09 -0400 From: "Bob Morrell" Subject: Re: Florida Primary 2002: Back to the Future (Mercuri, RISKS-22.24) I think the problems with the Florida voting system could be used as a case study on how not to implement a computerized system. Indeed, any intelligent analysis of the tasks and resources should have warned designers that significant problems were ahead. Device use is infrequent. The staff responsible for the devices (poll watchers) are usually undertrained volunteers, often elderly retirees with little experience with electronic devices, much less computers. Overall system management responsibility is completely decentrallized and has low priority in all locations. The main user (voters) are completely untrained. The frequency of exceptions to rules and the need for override capability is high (flying in the face of the needs for security) and resource allocation (after the initial post 2000 flurry of concern) for changes and needed alterations is extremely low. Some of the problems listed by Rebecca Mercuri (Risks Digest 22.24) and in the general media are so incredible, one has to assume that the vendor selected for the contract won bid by cutting some very basic corners. I think that Mercuri's call for a moratorium throughout the United States (and world) on the procurement of electronic voting systems that do not provide voter-verifiable paper ballots is the starting point for reform. But beyond that, given the current operational parameters, one has to ask whether this system, as is, can be computerized to any great degree. Bob Morrell http://home.triad.rr.com/bmorrell/ ------------------------------ Date: Mon, 16 Sep 2002 20:29:17 -0400 From: "Donald R. Calabro Jr." Subject: Georgia Secretary of State response to Mercuri in RISKS-22.24 This is a response to Rebecca Mercuri's article "Florida Primary 2002: Back to the Future," from Chris Riggall, The Press Secretary for Cathy Cox, GA Secretary of State. Mr. Calabro: Thanks for your message, and for passing along the response from Ms. Mercuri. I'm not sure what issues Ms. Mercuri refers to as far as the equipment in Georgia is concerned, but I'll try to take a stab at it. We operated the new AccuVote TS systems in two counties in the Aug. 20th Primary and Sept. 10th runoff elections. The performance of the equipment in these "real world" settings was quite good, and based on both media accounts and our personal visits to precincts those days in Hall and Marion Counties, the response of voters was overwhelmingly positive. On the Primary Aug. 20th, many of the other 157 counties also had the equipment displayed in voting precincts with a demonstration ballot. This was one component of a broad based voter education campaign -- to let voters see for themselves the new technology they would vote on in November. Among these units about five percent reported problems with screen freezes -- and the solution in that circumstance is to turn the unit off, then back on again. This was unfortunate, but not unanticipated since several weeks prior to the primary Diebold and we became aware that this problem could occur and was the result of a conflict between the unit's firmware and a new release of Windows CE that serves as the units' operating system (as a PR guy, I'm on shaky ground trying to explain this to an IT expert!). Diebold programmers developed a patch which was applied to the units deployed in Hall and Marion counties, and we were pleased that not one freeze was reported among the tens of thousands of votes cast there. Unfortunately, we simply did not have the time to apply the patch to the demo units, but that is now occurring to all units in all counties and the last increment of shipments from Diebold had this fix loaded before leaving the factory. Not referring to Ms. Mercuri, of course, but we have had some wild allegations about equipment failures in Hall and Marion during these two elections. One Georgia political party chairman (he'll go unnamed) put out a news release claiming that voters in one Hall precinct were turned away because of equipment failures and were issued "vouchers" so they could return and vote later. Balderdash. Never happened. Regarding Maryland, the coverage that I saw of that election using Diebold equipment last week came from the Washington Post -- not exactly an uncritical media outlet. The primary complaints from that seemed to be focused on Montgomery County, (one of four counties using that equipment -- representing 40 % of that state's voters) where results were relatively slow to be compiled and reported. While slow reporting is not ideal, it is not in the least the kind of critical failure that occurred in two Florida counties (Dade and Broward) out of the 15 that deployed new DRE systems last Tuesday. We would completely agree, and media accounts from Florida suggest, that the critical issue is education of voters and, even more importantly, poll workers before the election takes place. We are putting a tremendous focus on this and providing to the counties an array of training and technical support -- including hands-on classroom training for about 6,000 poll workers. I think her suggestion about using college IT students is an excellent one, and we have been working with county election officials for a year to help them expand their poll worker recruitment efforts and expand their traditional pool to include teachers, students and others with some level of technical knowledge. Also regarding Maryland, I thought I would include some information Diebold put out last week -- don't mean to burden you with corporate PR stuff, but there are some quotes from Maryland election officials which I thought you would find of interest. Again, thanks for contacting us. I know that not every single thing on Nov. 5th will take place perfectly (no election has ever met that standard) but we are very cognizant of the training issues and are working hard to make sure the counties perform in this critical area. Here's the Diebold info: DIEBOLD TOUCH-SCREEN VOTING TERMINALS PERFORM WELL IN PRIMARY ELECTIONS Voters in Maryland, Georgia and Kansas Show Widespread Acceptance to New Technology Photo available at http://www2.diebold.com/whatsnews/pr/photo.htm NORTH CANTON, Ohio - Diebold Election Systems, Inc., a wholly owned subsidiary of Diebold, Incorporated, today announced its touch-screen voting terminals performed extremely well in four counties within the state of Maryland. This election marks the state's first widespread use of the new AccuVote-TS electronic touch-screen voting system to be deployed statewide for future elections. Over 40 percent of the state's 2.7 million registered voters, located in four counties -Montgomery, Prince George's, Allegheny, and Dorchester - were the first to use the new electronic voting system in Tuesday's primary election. Currently, Diebold has touch-screen voting systems in more than 170 counties in many states throughout the United States, totaling more than 35,000 voting stations. Diebold's touch-screen system was not utilized in the recent Florida primary election. "The response from voters was absolutely positive," said Margaret Jurgensen, election director, Montgomery County Board of Elections. "I spoke to many voters after they cast their ballots, and they stated that they loved the ease of voting with the new system. Many voters commented about the ease of reading the ballot on the touch screen. One visually impaired voter was able to vote for the first time without assistance because of the ballot magnification feature of the system. As with any new technology, our election staff grew more comfortable with the system as the day progressed, and we see the implementation of the touch screen system continuing to improve as our staff becomes more familiar with the technology." "Our first touch screen primary election was a tremendous success," stated Donna Rahe, Dorchester County election director. "The voters of Dorchester County adapted to the touch screen technology extremely well, and the combined coordination efforts of the county's election staff and Diebold Election Systems caused a very smooth transition to the new election system." Diebold experienced similar success in August when voters in Hall and Marion counties in the state of Georgia tallied primary election results on the touch-screen voting system. Georgia is the first state in the country to implement a uniform statewide, computerized touch-screen voting system. Earlier this year, Diebold announced a $54 million agreement with Georgia officials to overhaul the state's election system technology making the state a national leader in replacing outdated election equipment. "Georgia's new uniform electronic voting system received its first test in the Primary Election and the Diebold units passed with flying colors," said Georgia Secretary of State Cathy Cox, Georgia's chief elections official. "Throughout Hall and Marion Counties we heard extremely positive comments from voters and poll workers about the convenience, security and ease of use of the new AccuVote-TS units." Voters in Johnson County, Kansas, were pleased with the touch-screen system as well. Approximately 99-percent of the voters who completed a comment card after using the system gave it a favorable rating. "The Johnson County Election Office is proud of its reputation of making voting convenient and accessible," said Connie Schmidt, Johnson County Election Commissioner. "We are pleased to be the first county in the Midwest to deploy touch-screen voting computers to all polling places countywide." "Considering the magnitude of these elections, which includes more than 870,000 registered voters within the four Maryland counties, we are very pleased with the results as every single vote was accurately counted," said Bob Urosevich, president of Diebold Election Systems, Inc. "Increased familiarity with the system will continue to make the process even smoother in future elections. We are working with the voters, poll workers and election officials to ensure that the entire process is intuitive and streamlined for everyone involved." Chris Riggall Press Secretary Ga. Secretary of State Cathy Cox 110 State Capitol Atlanta, Ga. 30334 404-656-5792 ------------------------------ Date: Thu, 19 Sep 2002 16:31:22 -0400 From: "Mark Richards" Subject: Election idiocy crosses state lines When America sends its youth to war, at least in the past, it was for protecting our freedoms. Now we send our youth to war on the whim of a weak mind, one incapable of uttering a coherent English sentence, drawling nonsense rhetoric. What for? Oil of course. But that's not important right now. What's really important is that the sort of thing people died for in wars past, the right to a fair and free election, is in the hands of those with little or no mind power, so well-proven by the recent Florida mess, defa vu all over again. I haven't read a single commentator who stood up and suggested that the whole thing is downright unpatriotic; a stain on the graves of those who died. Election people, even when given lots of money and another chance, managed to screw up, royally. We can certainly blame the computers and the complexity and moan about the lack of testing, redundancy and safeguards. But when I read the news from Marlboro, Massachusetts, and the fact that, for the second year, the election people screwed up again, it makes me wonder if The Florida Disease, like the West Nile virus, is spreading northward. According to the *Metrowest Daily News*, a snafu brought their vote-tabulation system to its knees and resulted in the necessity to hand-count the ballots. I always appreciate it when the press or officialdom bring out these cute terms like snafu and glitch. Makes these blunders seem, well, harmless. Last year's problem? The people maintaining the city's computer system didn't know last year why the clerk's office was on the computer system after hours and kicked it off while doing its nightly backup work. This year? No one seems to know. This year, however, the systems administrators didn't try to back up the files being used by the clerk's office, Bunting said, so she doesn't know what happened. But don't worry. Next year (the third time) will be a charm. We are comforted to hear, The problem shouldn't affect a third election, Bunting said. She said she's in the final stages of moving City Hall offices off of a 20-year-old computer system and onto a personal computer system. Massachusetts just suffered one of the worst voter turn outs in record. Idiot blunders like these do little to raise confidence that one vote counts. ------------------------------ Date: Thu, 12 Sep 2002 11:00:06 -0400 From: Steve Summit Subject: Retrospective Karger/Schell paper on Multics Security Evaluation I'm sure that many, many readers of RISKS are familiar with the story of Ken Thompson's Turing Award lecture: of the invisible trapdoor in /bin/login maintained by an equally invisible trapdoor in the compiler, of the oblique reference to an "unknown Air Force document" whence came the idea for the trapdoors, of Ken's request for anyone who knew of the actual paper to let him know. What I, for one, did not know was that the paper and its authors had in fact come to light: "Multics Security Evaluation: Vulnerability Analysis", written by Paul A. Karger and Roger R. Schell and published by the Air Force in 1974. And in a new paper which is simultaneously a trip down memory lane and an up-to-the-moment call to arms, Karger and Schell have collaborated on a new, retrospective paper which reviews (and incorporates a resurrected copy of!) the former report, while analyzing today's computer security landscape in light of the former report's analyses and recommendations. The new paper is "Thirty Years Later: Lessons from the Multics Security Evaluation". It is to be presented at the Annual Computer Security Applications Conference (ACSAC, http://www.acsac.org/) in December, and a preprint copy is available under . Anyone remotely interested in computer security (which probably includes just about everyone reading RISKS) should probably not bother reading any more of this note of mine, but should head directly to the domino Web site to fetch a copy. It's an excellent read, and the opportunity to view the problem from the 1974 perspective -- via the incorporated copy of the 1974 paper -- is priceless. (Among other things, it makes you realize how little we've learned since.) Dismayingly, but not surprisingly, the authors do not find that the operating systems of today have benefited much from their in-depth analyses of Multics. Multics with moderate improvements was, they felt, adequately secure for a closed environment, but would not have been secure in an open environment (i.e. accessible to untrusted users) without a new security kernel which was never completed. Today's popular operating systems, on the other hand, are barely as secure as the unimproved Multics was, yet of course they are routinely asked to serve in the very harshest of environments: the open Internet. I'm afraid that the paper may be dismissed by some as another antiquarian pro-Multics rant, and I've also seen suggestions that it's thinly disguised Microsoft- or Unix-bashing. Neither criticism is remotely accurate: the paper's analysis is impartially objective and if anything borders on the excessively sober. To point out security flaws in popular operating systems is not to bash them; those problems are simple facts. My only criticism of the paper is not a criticism but a lament, similar to the one I sometimes feel when reading RISKS these days. Those of us who like to think we understand security have been discussing these issues for decades, but the message does not seem to be getting out; systems at all levels remain variously depressingly or laughably insecure. The current activity surrounding security is almost all what Karger and Schell call a "battle of wits" between attackers and defenders; little is being done to make commodity systems fundamentally secure. The obvious concluding question -- of a paper like Karger and Schell's, or a review like this one -- is, what should be done? The authors are not dogmatic, merely pointing out that the current situation is unstable and that some truly secure mechanisms (already known to be both theoretically and practically viable) will have to be deployed lest chaotic disasters ensue. The question for the rest of us is, do we agree, and can we persuade the parties who matter that they've got to take security more seriously? An all too likely reaction to the paper is that its insistence on new, verifiably secure kernels is extreme and unnecessary, that all we've got to do to win the "battle of wits" is to try a little harder. Alas, it's not clear that we're even keeping up with the adolescents who perpetrate scourges like Nimda and Klez, and it's even more unpleasant to contemplate how we might fare if faced with "industrial-strength espionage" (as Vernor Vinge put it in his haunting novel Marooned in Realtime). Let's hope we can find the collective wherewithal to do *something*; I'd rather not find myself marooned in the postapocalyptic husk of a once-great but inadequately secure cyberspace. Steve Summit [The Web version has an explicit caveat relating to the fact that the two papers have been submitted to the Classic Papers section of the 18th Annual Computer Security Applications Conference (ACSAC), 9-13 Dec 2002, Las Vegas NV, and that until then the papers are considered restricted in their distribution. However, discussion of these papers has already reached Slashdot. We include this notice here to encourage discussion of their RISKS-relevance, and to encourage your attendance at ACSAC if this topic interests you, not to induce you to violate the caveat on the watson.ibm.com site. PGN] ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.25 ************************