precedence: bulk Subject: Risks Digest 22.83 RISKS-LIST: Risks-Forum Digest Thursday 7 August 2003 Volume 22 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.83.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Software violates stock ownership limits (Bill Hopkins) Photoshop file contains more than the visible images (Nick Brown) Virginia Identity Theft Passport (James Moyer) Hand-held devices easy to hack (Monty Solomon) What Time Is It? (Conrad Heiney) Pentagon's online trading market plan draws fire (NewsScan) New online futures market bets on next White House scandal (NewsScan) Voting tech problems galore in Mississippi (Cathy Hayden via Kim Alexander) Electronic voting - once again... (M Baumeister) Why e-voting is a non-starter: Risks with e-voting (Bill Thompson via Chris Leeson) Hospital records stuck in memory stick (Brett McCarron) Re: Domain names (Jay R. Ashworth, Sidney Markowitz, Paul Schreiber) Tech exodus: 500,000 U.S. jobs moving overseas (NewsScan) PFIR Forums Adds "Voting Systems" Discussion Group (Lauren Weinstein) REVIEW: "A Guide to Forensic Testimony", Fred Smith/Rebecca Bace (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 4 Aug 2003 15:29:40 -0400 From: "Bill Hopkins" Subject: Software violates stock ownership limits *The New York Times* reported Thursday that a Connecticut money manager inadvertently increased his holdings in two medical technology companies despite agreeing with both not to do so. He now owns 75% of one of the companies, whose CEO said he told them "three layers of software somehow failed" after he agreed in April to limit his investment at the 20% level. The other company went from 20% to 33%. Nobody noticed anything wrong until mid-July, despite steady buying. The money manager is in apparent violation of SEC reporting requirements, which carry regulatory penalties. The companies face a protracted period of uncertainty, as the positions are slowly unwound; one has a stock issue planned for this week. The institutional investors in the funds won't be able to unload it if the stock prices fall, and other investors in the companies who bought during the same period may wind up with losses if the stock prices prove to have been inflated. For the money manager, some obvious RISKs : * Allowing computer software to run your business. * Layering software (no word, but I'll bet it's from different vendors). * Not sending the key memo to all three layers of software. * Checking your total holdings every three months. For companies, the RISKs are less clear. It's not clear whether they had any way of finding out who was actually buying their stock, and that the price run-up was anything other than a general market recovery or recognition of value. For investors, well, we all know NASDAQ is a crapshoot in the dark, don't we? (Big Julie will now remember where the spots used to be on the dice you just threw.) The article, "Investor Says He Bought Stock and Didn't Know It," is at http://www.nytimes.com/2003/07/30/business/30PLAC.html (registration required, free access ends 8/06) ------------------------------ Date: Tue, 5 Aug 2003 20:45:02 +0200 From: Nick Brown Subject: Photoshop file contains more than the visible images A US TV presenter posted some artistic close-ups of her face. Using Photoshop before saving, she had apparently cropped pictures that were taken while she was posing topless. This enabled the crop to be undone. This reminds us of what can happen in Word when you do a "regular" save. Apparently, Microsoft Word isn't the only application that stores more than what you see. The subliminally-R-rated URL was previously on-line http://www.shackspace.com/[...] but the link has been taken down, presumably due to heavy traffic from referrals from www.cruel.com. [Recovering the hidden information must be known as a "cropshoot". PGN] ------------------------------ Date: Mon, 04 Aug 2003 16:47:58 -0400 From: James Moyer Subject: Virginia Identity Theft Passport As part of my study of photo ID documents (and the theory for explaining how they work, the current version of my paper is at http://www.njlicense.org/sdt.pdf), I've been trying to figure out the trust failure portion of Security Document Theory. Trust failure occurs when a document is no longer believed to be valid. Too much counterfeiting or other security problems causes too many bad documents to be in the wild, though I believe that institutions can turn their backs on ID documents, which sometimes occurs in countries that have national ID cards. (People from several different countries, such as Italy and Argentina, have told me that police may just decide not to trust their ID card, and haul them in to get their identity assessed differently.) The Virginia Identity Theft Passport is a different variation of that. The trust has eroded from the normal documents, and now people, in certain situations, need yet another document to back up their current assortment of documents. (My theory considers photo ID card trust failures inevitable, as long as the photo ID card performs multiple functions which have value to criminals.) I'm particularly amused by the reductio ab absurdum for the theft passport. Instead of a separate document, why couldn't it be an endorsement on the individual's driver's license (which would imply something like "this is a regular John Smith, who is not *that* John Smith." Or "this is a *real* Virginia driver's license." ------------------------------ Date: Sun, 3 Aug 2003 00:37:49 -0400 From: Monty Solomon Subject: Hand-held devices easy to hack Hand-held computers used to store phone numbers, medical and credit-card information leave millions of gadget lovers fully exposed to identity-theft and other crimes, security experts said on Saturday. Software is now widely available to allow people to steal passwords and other information from popular Palm-based computers, especially when they connect to other computers to share data, said Bryan Glancey, a manager at wireless security services provider MobileArmor of St. Louis, Missouri. While millions of people now rely on handy electronic scheduling and address books, few carry sufficient security protections to prevent identity theft if the hand-held is lost or stolen, as is commonplace. Simple programs exist to uncover even hidden data, Glancey said. Other software allows people to steal data while remaining at some distance from the victims, he added. ... [Source: Reuters, 2 Aug 2003] http://finance.lycos.com/home/news/story.asp?story=35114601 ------------------------------ Date: Mon, 4 Aug 2003 12:47:15 -0700 From: "Conrad Heiney" Subject: What Time Is It? *The Guardian* has a fascinating story on the ITU's Study group concerned with time. According to the article, divergent time systems are an increasing problem. Conflicts between Earth time, the time provided by atomic clocks, GPS time, and other standards raise interesting questions about the safety of aircraft and other complex systems that may be running on different timescales. http://www.guardian.co.uk/uk_news/story/0,3604,985020,00.html ------------------------------ Date: Tue, 29 Jul 2003 09:23:30 -0700 From: "NewsScan" Subject: Pentagon's online trading market plan draws fire The U.S. Defense Department's Defense Advanced Research Projects Agency (DARPA) has plans to set up an online Policy Analysis Market that will allow traders to bet on the likelihood of future terrorist attacks and political assassinations in the Middle East. The bizarre scheme has drawn fire from Senators Ron Wyden (D-Ore.) and Byron Dorgan (D-N.D.). "The idea of a federal betting parlor on atrocities and terrorism is ridiculous and it's grotesque," said Wyden, while Dorgan described the plan as "useless, offensive and unbelievably stupid. How would you feel if you were the King of Jordan and you learned that the U.S. Defense Department was taking bets on your being overthrown within a year?" However, the Pentagon defended the initiative, comparing it to commodity futures markets. "Research indicates that markets are extremely efficient, effective and timely aggregators of dispersed and even hidden information. Futures markets have proven themselves to be good at predicting such things as election results; they are often better than expert opinions." The market would allow traders to deposit money in an account and then use it to buy and sell contracts. If a particular event comes to pass, the bettors who wagered correctly would win the money of those who guessed wrong. [BBC News 29 Jul 2003; NewsScan Daily, 29 Jul 2003] http://news.bbc.co.uk/1/hi/world/americas/3106559.stm [This plan was subsequently scrapped. One of its proponents, John Poindexter (head of DARPA's IAO office), reportedly will be retiring. PGN] ------------------------------ Date: Mon, 04 Aug 2003 10:58:36 -0700 From: "NewsScan" Subject: New online futures market bets on next White House scandal In response to the Pentagon's now-discarded plans for a terrorism futures market, academics from half a dozen U.S. universities have created an American Action Market, which will offer traders the opportunity to wager on the likelihood of various Washington political events, such as: Which country will the White House threaten next? Who will be the next foreign leader to move off the CIA payroll and onto the White House's "most wanted" list? Which corporation with close ties to the White House will be the next cloaked in scandal? The AAM will begin registering traders in September and will open for business October 1. "It's quite amazing, the Pentagon and the White House are very fertile imaginative fields these days," says one of the AAM founders. "(The AAM project) sounds humorous, but that just shows how far things have gone. We've entered the realm of fiction. Things are really Dr. Strangelove." Bob Forsythe, a University of Iowa professor who helped set up the Iowa Electronic Markets that speculate on election results, says such futures markets can deliver fairly accurate predictions, but the traders have to be knowledgeable. "You have to have informed traders or they don't work very well. Who are the informed traders in an assassination market, for example? The same is true for predicting the White House." [Wired.com 4 Aug 2003; NewsScan Daily, 4 Aug 2003] http://www.wired.com/news/politics/0,1283,59879,00.html ------------------------------ Date: Wed, 6 Aug 2003 11:59:43 -0700 From: Kim Alexander Subject: Voting tech problems galore in Mississippi Errors - human, mechanical - mar Election Day By Cathy Hayden, chayden@clarionledger.com [PGN-ed] http://www.clarionledger.com/news/0308/06/melec02.html Election officials and political party offices were flooded all day on 5 Aug 2003 with reports of voting snafus ranging from locked precincts to machine malfunctions to voters receiving ballots with the wrong names on them. "It's worse than it has been in 10 years," said Claude McInnis, chairman of the Hinds County Democratic Party. "We had redistricting. That made it much more complex." [...] Because Mississippi has 82 counties and there are party primaries, "164 groups of people are running the elections - the Republican county executive committee in every county and Democratic county executive committee. There's a lot happening," according to David Blount, spokesman for Secretary of State Eric Clark. [The article quotes a voter who did not recognize anyone on the ballot -- he had been given the wrong ballot, probably the fault of the poll worker. Usual tales of a precinct that was locked for three hours (with poll workers operating out of their own vehicles), nonworking touch-screen systems, failure to read the initialization chip, etc. PGN] Kim Alexander, President, California Voter Foundation kimalex@calvoter.org, 916-441-2494, http://www.calvoter.org ------------------------------ Date: Thu, 24 Jul 2003 18:32:47 EDT From: M Baumeister Subject: Electronic voting - once again... "According to election industry officials, electronic voting systems are absolutely secure, because they are protected by passwords and tamperproof audit logs. But the passwords can easily be bypassed, and in fact the audit logs can be altered. Worse, the votes can be changed without anyone knowing, even the County Election Supervisor who runs the election system." ... for the rest of the story: Inside A U.S. Election Vote Counting Program [by Bev Harris] http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm ------------------------------ Date: Mon, 28 Jul 2003 10:20:38 +0100 From: "LEESON, Chris" Subject: Why e-voting is a non-starter: Risks with e-voting Bill Thompson has written an article on the BBC Website about the Risks of Electronic Voting: http://news.bbc.co.uk/1/hi/technology/3095705.stm He starts by mentioning the recently-revealed DirectX flaw, security problems in Windows Server 2003, and thefts from a South African bank due to e-mail sniffing. He then mentions the general problems with Authentication, and then some specific problems found with the Diebold Election Systems equipment. He caps this section of the article with noting that the company concerned refuses to allow independent code reviews on the grounds of commercial confidentiality. In other words, the same old story. The article closes with the following paragraphs: The British Government is still set on giving us all easy ways to vote, and the pilots from last year's council elections are being extended. There is still talk of online voting in the next general election, and of moving away from paper ballots entirely in the future. Yet every time we get to look inside a piece of software or a security system that has been developed in secret, and built on the top of a compromise between acceptable levels of risk and the cost of doing it properly, we find holes and errors. This is the reason why we must not move to an online voting system. It cannot be made secure, it cannot be guaranteed and it cannot be trusted, no matter who writes it, and no matter what claims are made. A democratically elected government of the United Kingdom has massive power. The gains to be made from undermining a general election are just too high for us to take the risk of moving the election online. Paper ballots and physical presence in the polling station make the system too unwieldy to hack. We should keep it that way. ------------------------------ Date: Thu, 07 Aug 2003 08:59:54 -0700 From: "Brett McCarron" Subject: Hospital records stuck in memory stick Hospital bosses in Greater Manchester have tightened up IT security procedures after a Crewe estate agent found a memory stick sold as new contained confidential details of 13 cancer patients. A report into the security breach, which happened earlier this year, found that the data had been transferred onto the memory stick when a computer storing a database of patient details was sent for an upgrade. The hospital's IT supplier Pocos took the computer to MBS Computers in Crewe, where the data was copied onto the stick. But the investigation was unable to ascertain how it then came to be sold as new. http://silicon.com/news/500013-500001/1/5491.html http://zdnet.com.com/2110-1105_2-5060979.html [I'll bet that opened package memory sticks sell pretty quickly at computer superstores - BWM]. Brett McCarron, IT Security & Policy Officer, WDFW Information Technology Services, 600 Capitol Way N. - Olympia, WA 98501-1091 (360) 902-2331 ------------------------------ Date: Mon, 4 Aug 2003 12:45:04 -0400 From: "Jay R. Ashworth" Subject: Re: Domain names (RISKS-22.81) Darryl Luff apparently reads Dave Barry's weblog. :-) So do I, but as far as I know, Dave got the other one from me: http://www.whorepresents.com Isn't it nice that DNS is case-insensitive so that you can use WhoRepresents.com instead? Jay R. Ashworth, Member of the Technical Staff, Baylink, The Suncoast Freenet Tampa Bay, Florida jra@baylink.com http://baylink.pitas.com +1 727 647 1274 ------------------------------ Date: Mon, 28 Jul 2003 12:04:34 +1200 From: Sidney Markowitz Subject: Re: Domain Names (RISKS-22.81-82) RISKS-22.82 correctly points out that powergenitalia.com is not the Web site of some Italian subsidiary of the British firm Powergen, and the Web site today (as I type this) is just an "under construction" page. HOWEVER, there was a company Web site there when it was mentioned in RISKS-22.81. You can *try* to hide, but often not successfully on the Web. The Internet Wayback Machine reveals that there is a company named Powergen Italia (or else a very longstanding Web hoax). Their location and history can be found at: http://web.archive.org/web/ 20020210171927/www.powergenitalia.com/inglese/logo1.htm http://web.archive.org/web/ 20020203231738/www.powergenitalia.com/inglese/aziendae.html The whois information matches the information there: http://opensrs.org/cgi-bin/whois.cgi?action=lookup&domain=powergenitalia.com ------------------------------ Date: Tue, 29 Jul 2003 18:26:35 -0400 From: Paul Schreiber Subject: Re: Domain Names (RISKS-22.81-82) I've seen this before: the dotcom "experts exchange" had the domain expertsexchange.com ... ExpertSexChange.com? Ooops! [Ah, another item for my Hyphen(h)ater's Handbook? PGN] ------------------------------ Date: Wed, 30 Jul 2003 09:36:42 -0700 From: "NewsScan" Subject: Tech exodus: 500,000 U.S. jobs moving overseas One out of 10 jobs in the U.S. computer services and software sector could move overseas by the end of next year, according to a new report from Gartner Inc. And while professionals in the computer industry will be especially hard-hit, IT jobs in other sectors such as banking, health-care and insurance will feel the impact also, with one in 20 being exported to emerging markets such as Russia, India or other countries in Southeast Asia. "Suddenly we have a profession -- computer programming -- that has to wake up and consider what value it really has to offer," says Gartner VP and research director Diane Morello. Morello estimates that based on her preliminary calculations, at least 500,000 jobs will be lost to offshore outsourcing by then end of 2004. The trend toward "offshore outsourcing" is heating up as a political issue, with legislators in five states proposing bills that would require workers hired under state contracts be American citizens or fill a special niche that citizens cannot. [Reuters/CNN.com 30 Jul 2003; NewsScan Daily, 30 July 2003] http://www.cnn.com/2003/TECH/internet/07/30/jobs.oversees.reut/index.html ------------------------------ Date: Wed, 6 Aug 2003 11:59:26 PDT From: pfir@pfir.org (PFIR - People For Internet Responsibility) Subject: PFIR Forums Adds "Voting Systems" Discussion Group PFIR - People For Internet Responsibility - http://www.pfir.org The PFIR Forums discussion board located at: http://forums.pfir.org has added a new discussion group topic: "Voting Systems - Benefits and Risks" for the discussion of the benefits, risks, problems and solutions related to voting technologies, including mechanical and electronic (e-voting) systems, especially optical scan, computer-based, and Internet voting. This group is moderated by Peter G. Neumann. Other discussion groups (all are moderated) on PFIR Forums include: Civil Liberties vs. Technology Advanced and useful technologies are becoming massive threats to privacy and other civil liberties. How can technology be appropriately controlled and civil liberties protected? E-Mail Issues, Problems, and Solutions Discussion of problems, possible solutions, and a wide range of other issues relating to e-mail, including PFIR's Tripoli e-mail proposal Informational (read-only) groups include: Fact Squad Radio Recent listings and e-mail notification for PFIR's Fact Squad Radio short mp3 audio features PFIR Forums Information and Guidelines Basic information, usage guidelines, privacy policy, etc. for PFIR Forums As always, your participation in PFIR Forums is cordially invited. Thank you very much. Lauren Weinstein http://www.pfir.org/lauren lauren@pfir.org lauren@vortex.com lauren@privacyforum.org +1-818-225-2800 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Moderator, PRIVACY Forum - http://www.vortex.com ------------------------------ Date: Tue, 29 Jul 2003 10:54:51 -0800 From: Rob Slade Subject: REVIEW: "A Guide to Forensic Testimony", Fred Smith/Rebecca Bace BKGDFOTS.RVW 20030604 "A Guide to Forensic Testimony", Fred Chris Smith/Rebecca Gurley Bace, 2003, 0-201-75279-4, U$49.99/C$77.99 %A Fred Chris Smith %A Rebecca Gurley Bace %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2003 %G 0-201-75279-4 %I Addison-Wesley Publishing Co. %O U$49.99/C$77.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0201752794/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0201752794/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0201752794/robsladesin03-20 %P 509 p. %T "A Guide to Forensic Testimony" The subtitle explains the book more fully: "The Art and Practice of Presenting Testimony as an Expert Technical Witness." However, those with expectations about the form of technical literature should note that the style of this work follows that of the legal profession and case law: it primarily teaches by using examples rather than pointing out a specific methodology. The preface illustrates another difference between the technical and legal worlds. Computer work generally involves finding an answer to a problem: if the code works, background study and documented analysis is generally irrelevant. The legal profession, on the other hand, absolutely depends upon advance preparation, and an answer is almost useless unless the reasoning, background, and process is not only chronicled, but properly and legally obtained. Thus the authors are aware of the twin needs to inform technical experts about the requirements of the legal world, and to instruct legal professionals in aspects of technology that may be relevant to the pursuit of a case. The introduction notes the possible tragedies that can result if either the trial attorney or the technical expert attempts to act as ventriloquist to the other's dummy. Chapter one gives examples of expert witnesses, starting with a fictional example from a movie. Normally this would not be very instructive, but the authors are careful to point out, from the fictional story, important legal points to be aware of in regard to the possibilities and limits of expert testimony (and also the legal restrictions that would prevent some of the story points from happening in a real case). The rest of the chapter then goes on to introduce legitimate and recognized experts, and present their opinions and advice in regard to the practice of expert testimony. Chapter two is supposed to promote both the idea of becoming an expert witness, and of preparing for the experience. In fact, most of the material deals with Bill Gates' first deposition in the antitrust litigation, and the mistakes that he made. The example does make valid points both about the value of preparation and the need to testify whether we want to or not, but the message is not always obvious. Using testimony to provide a story about what happened is presented in chapter three. The example, though, is the tracing of Kevin Mitnick's intrusion on the systems managed by Tsutomu Shimomura, and therefore the testimony, which never happened, is simulated, which weakens the lessons the text intends to convey. Chapter four outlines the rules of testimony and the legal process, and is the section that technical people should probably study most thoroughly. Although there are important points to be made in regard to the dangers of reasoning beyond the facts, chapter five reads more like an editorial inveighing against pseudoscience. Ethical issues are discussed in chapter six. The early material involves a great deal of text from two case decisions, but eventually there is a review of codes of conduct, and even examination of some of the moral aspects of court battles. Chapter seven deals specifically with the matter of bias. The gatekeeper function of American judges, who must decide not only whether a witness is truly expert, but on what the expert may testify about or to, is covered in chapter eight. This material also reviews important points about the qualifications for experts and the characteristics of good evidence. Credible and convincing evidence and presentation is described in chapter nine, and this is extended to visual exhibits in chapter ten, demeanour in eleven, and non-verbal communications in twelve. Chapter thirteen contains examples of, and advice from, some experts who have extensive experience in court testimony. The book sometimes flows rather oddly, and it would be easy to take issue with a number of the topics or the emphasis given to certain ones over others. Even so, this work *is* important, and information security professionals; and certainly those in management or consulting roles; should seriously consider it. The text is written with the technical worker in mind, although legal professionals would undoubtedly find the research, advice, and explanations to be helpful in preparing for technical cases. Litigation involving technical topics is increasing all the time, and new (and therefore unfamiliar) technologies are now as constant a fact of legal life as forensic concerns are in technical work. copyright Robert M. Slade, 2003 BKGDFOTS.RVW 20030604 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.83 ************************