Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 10: Issue 60
Wednesday 14 November 1990
Contents
Computer Mishap Forces shift in Election Coverage- bahn_pr
- Voting electronically from home (revisited)
- John Roe
- Barclays' security: apologies!
- Pete Mellor
- Juicy 911 RISKS
- Steve Smaha
- Re: UK Software Engineer Certification
- Brian Tompsett
- Software Protection Tool
- Dave Erstad
- Sprint's voice-card system
- Steve Elias
Jerry Glomph Black - Re: Carbons
- Douglas W. Jones
- Your Flood Stories, Please
- Lindsay F. Marshall
- Corrected version of Virus Conf announcement
- Gene Spafford
- Info on RISKS (comp.risks)
Computer Mishap Forces shift in Election Coverage
<bahn_pr%ncsd.dnet@gte.com>
Fri, 9 Nov 90 16:04:31 -0500
The Washington Post, New York Times and USA Today had ordered national vote trend analyses from Voter Research and Surveys, a company set up to do exit poll surveys and have the results analyzed by 3:30pm on Election Day, 6 Nov 90. A computer glitch prevented the results from being available at all on that day. VRS had the data, but the weighting program did not work. [Abstracted by PGN from `Computer Mishap Forces shift in election coverage, Major Newspapers faced with delays in polling data', by Lynn Duke, staff writer Washington Post, 7 Nov 90] Now what i found interesting was the idea of Sam Donaldson screaming into some programmers ear while a camera is pointed on him. "Fix the program or we'll do a story on you buddy." :-) There are some interesting risks. First that unclean data was used and second that the big news agencies now all use the same polling source. What a risk if someone hacked them to create false trends. [bahn_pr]
Voting electronically from home (revisited)
John Roe <johnr@hpltbg.fc.hp.com>
Mon, 12 Nov 90 13:27:39 MST
A Boulder CO group has rediscovered Bucky Fuller's 50-year-old suggestion that everyone should be able to vote telephonically from home or wherever. "The system is based on a personal computer hooked into [the] telephone line. [Local activist Evan Ravitz] also loaded a list of registered Boulder County voters into the computer's memory, and the system checks names against a six-digit code based on date of birth. Callers enter their selections for the ballot by entering numbers on a Touch-Tone telephone. [...] "Boulder County Clerk and Recorder Charlotte Houston ... placed a call to the system on Monday and found that could could have voted for her son and daughter by providing their birth dates or Social Security numbers." [Abstracted by PGN from `Phone voting? Boulder group says it's time', an AP story from the Loveland, Colorado, Reporter-Herald, 6 Nov 1990.] I found this article alarming for a number of reasons: First, the possibilities for massive fraud are probably obvious to all RISKs readers. For example, if (as implied by the article) one can vote for another by simply knowing either the birth date or their Social Security number, with the hardware already in my own basement plus an appropriate database (which shouldn't be too hard to come by) I could have easily changed the outcome of a number of races and constitutional amendments here in Colorado during the November 6th election. With a concerted effort I could have chosen any candidate I wished. If I knew which registered voters had not voted recently, I could even make a reasonable effort at making my fraud somewhat less detectable. Second, I was disturbed (but not surprised) that the article emphasized the "gee-wiz" aspect of the idea, but mentioned the RISKs only in passing, and ended with a statement that implied that concern over fraud were irrelevant and paranoid. The token assurances of Mr. Pelton only serve to support this perception. I have come to expect that the popular press is ill-equipped to understand, evaluate, and explain the risks of technology to their readers (or viewers, in the case of television). This latest example only reinforces my expectations. Finally, and perhaps most significant, was the cavalier attitude of Mr. Ravitz toward the possibility of fraud, and his obvious lack of understanding of the problem. The current system is NOT based on honesty: it is based on physical security. If it is sufficiently hard for the same person to vote multiple times, voter fraud can be reduced to acceptable levels (but not eliminated, of course). In my precinct, I could conceivably vote two or three times before the election officials would start getting suspicious. If I spent the entire day driving around to various polling places in northern Colorado, I could perhaps vote a few dozen times. But to influence the outcome of the election would require a large number of cohorts; a task I could accomplish by myself from the comfort of my own home if Mr. Ravitz's proposal becomes law. I wonder if we would be permitted to vote on changing Colorado's election laws to permit voting by phone, by voting by phone? The outcome of such a vote could be enlightening ... John Roe, Hewlett-Packard, Colorado Integrated Circuits Division, 3404 East Harmony Road, Fort Collins, Colorado 80525-9599 (303) 229-4554
Barclays' security: apologies!
Pete Mellor <pm@cs.city.ac.uk>
Tue, 13 Nov 90 11:30:57 PST
In RISKS-10.50, in an item entitled "Hackers blackmail five banks (UK)", I gave excerpts from a newspaper report about the breach. I followed this with an anecdote told by the manager of the local branch of a chain of off-licences, who found that, after sending in his completed order to the main warehouse, what appeared to be credit card transactions from Barclays' Bank were displayed on his screen. Shortly thereafter, I received a phone call from the head of Information Security at Barclays, who was puzzled by the incident, and requested further information. Barclays' investigation revealed that the credit card transactions were in fact records of purchases made using the particular card at that off-licence, and others of the chain in the area. There was therefore no breach of security, since, of course, the manager had the right of access to that information. The incident was *not*, as I first thought, due to unencrypted transactions being transmitted over the public telephone lines being received by the wrong terminal. The only problem appears to have been a minor glitch which caused a file of credit transactions on the local machine to be displayed when my friend was not expecting it. So apologies to Barclays Bank! I hope that Barclays' security department are happy to let me set the record straight via RISKS, which they obviously monitor, and perhaps they would care to add some comments of their own. Moral: Check your facts before passing on anecdotes which you hear in pubs! Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 p.mellor@uk.ac.city (JANET)
Juicy 911 RISKS
Steve Smaha &maha@DOCKMASTER.NCSC.MIL>
Sun, 11 Nov 90 13:51 EST
"911 calls are ripe for trouble" 11 Nov 90 Austin American-Statesman, BLACKSBURG, VA (AP) These are hardly salad days for Montgomery county law officials. Last week, police were testing the county's 911 system, scheduled to begin operating next month, when the dispatcher received 10 calls that were traced to the home of Linda and Danny Hurst. She tried to call the line, but it was busy. When she hung up, she received another call from the same line. And another. Deputy sheriff tracked down Linda Hurst. "I told them I'd locked my house and there shouldn't be anyone in there," she said. Police, concerned that someone had broken in, asked Hurst to meet them at her house. She parked in front of the house, and walked up to the front door. "But they said, 'Ma'am, step back please.' I looked back and they had their guns drawn. They were serious," Linda Hurst said. "They went through the house, but they couldn't find anybody, so I went inside." Finally, Linda Hurst's brother spotted the culprit - an overripe tomato. The tomato was hanging over the telephone in a wire basket, dripping juice into the couple's answering machine. Chief Deputy Milton Graham said the tomato juice apparently got into the telephone's dialing system and caused it to dial the sheriff's office. "We're not sure how. Maybe they had speed dialing and it shorted out," he said. "I didn't know the answering machine could even dial out," Linda Hurst said. "It's just supposed to take messages."
Re: UK Software Engineer Certification
Brian Tompsett <bct@cs.hull.ac.uk>
Mon, 12 Nov 90 12:24:00 GMT
This note supplies greater detail about the steps involved in the certification
of Software Engineers in the UK. It is in response to several inquiries
requesting more detail after my last contribution to RISKS (Sept 21, 1990).
In answering the questions let me point out that the UK does not have Software
Engineering *specific* certification. Nor does it have *certification* in the
strict sense that is being discussed in the US at present. When I have detailed
the routes available in the UK you can decide for yourself how this relates to
what does/will exist in the US.
Let me start by describing the qualification route from High School through the
maze of qualifications and certifications. I can deal with how existing
Engineers fit into the picture later.
.------------------ Government --------------.
| Approves Charters |
| Curriculum Body |
v |
High School |
| v
| University Engineering
| Entrance Council
| Exams | Accredits
| | Society
v v
University <-------Accredits Degree Course--- Professional
| Society
| Accredited | |
| Engineering .---------' | Join Society
| Degree | |
v | v
Graduate | Student member
Employment <--Approves training-----' |
| | Get experience
| Certified |
| Engineering |
| training and experience |
v v
Chartered Corporate Member
Engineer-------------------. |
Status | | More
| | | Experience
| Outstanding | |
| Achievement | |
v v v
Fellowship European Fellowship of Society
of Engineering Engineer
The route illustrated in the above diagram is not specific to Software
Engineers, but is the generic model for all Engineers in the UK. The student
starts by taking a degree course at a University; this may be a B.Eng, M.Eng or
B.Sc. degree. In order for this degree to be considered a suitable education
for an Engineer the course must be accredited by the appropriate professional
body. The accreditation examines the curriculum, the facilities, the teaching
department and the institution itself. After graduating the student is expected
to take a position that will provide practical engineering training and real
experience. The training and experience is logged in the graduates own
engineers logbook and signed-off by qualified engineers and trainers. The
professional society provides the employer with the basic structure for this.
When the Graduate Engineer has gained sufficient experience (minimum 4 years)
he may apply to be a Chartered Engineer. Admission to Chartered Engineer can
only be made through a professional society and normally corporate membership
of the society requires the same entry qualifications as Chartered
Engineership. On joining the society the member is required to follow
professional code of conduct and code of practice. The admission procedure
involves vetting the applicants qualifications, receiving references from the
applicant's sponsors who are normally two other professional members and an
interview.
The Professional Society itself is accredited by the Engineering Council. The
accreditation examines the Societies methods and procedures for admission,
course accreditation and so on. The Engineering Council needs to ensure that
Engineers from all the different disciplines are equally qualified to be
Chartered Engineers. The area represented by the Society must also be one that
is considered as Engineering. This was a major hurdle for the British Computer
Society to show that "Information Systems Engineering" is Engineering and
qualified practitioners are worthy to be Chartered Engineers. This process took
four years.
The Pan-European Engineering element should also be noted. Someone qualified
as a Chartered Engineer may also apply for the title "European Engineer". This
is a title that is recognised across Europe. It also has its own code of
conduct in addition to the one applied by the professional society. A fully
qualified Software Engineer in the UK would therefore be attributed as:
Eur.Ing John Doe B.Sc, C.Eng, MBCS (or similar.)
Others may qualify as Chartered Engineers who do not follow the above route.
They may have become Software Engineers before the terms Computer Science or
Software Engineering existed, or have switched disciplines and previously
qualified in something else. They may have no formal qualifications at all and
have come into the profession through experience alone or they may have
overseas qualifications and experience. These groups of people are admitted
after having their qualifications and experience verified in a similar manner
to other applicants. Their education and training is compared to the standard
curricula. This sometimes involves examination of the students class
transcripts and the details of the course syllabus. In the absence of a
contemporaneous experience and training record a detailed Curriculum Vitae
needs to be validated. This usually involves finding other Engineers who can
act as referees and certify that the actual work experience claimed actually
took place and was of sufficient quality. This is usually done by initialing
copies of the curriculum vitae item by item.
Just to confuse the issue, the UK has a Software Engineering Examination Board
who issue certificates of competence in Software Engineering. These are not
related to the kind of Software Engineer certification we have been discussing.
The SEAB is involved in the training of people in the SSADM method that has
been mandated for use on UK Government work.
Brian Tompsett, Computer Science, Hull University.
Software Protection Tool
"DAVE ERSTAD" <derstad@cim-vax.honeywell.com>
9 Nov 90 17:06:00 CST
In the October 18th issue of Electronic Design News there's a blurb about a new product which obfuscates source code by changing variable names, removing comments, etc. The intent is to allow software to be distributed in source form while still protecting proprietary knowledge. The RISKy part is what some people believe (either the company or the reviewer, I'm not sure which). The last statement in the article is "Distribution also ensure that the producer receives virus-free code, because VIRUSES CANNOT OPERATE IN SOURCE CODE" (emphasis added). Dave Erstad, Honeywell SSEC DERSTAD@cim-vax.honeywell.com
complaints about Sprint's voice-card system
Steve Elias <eli@PWS.BULL.COM>
Sat, 10 Nov 90 14:17:36 -0500
These complaints about Sprint's voice-card system are a bit silly!
Where do yall get the idea that Sprint insists that one use their SSN
as their ID number? A friend at US Sprint confirms that their internal
literature makes no mention of forcing people to use their SSN.
Until you get some evidence that Sprint will not allow people to use numbers
other than their SSN, please refrain from flaming!
/eli
Sprint's New Calling Card
Jerry Glomph Black <black@ll-null.ll.mit.edu>
Fri, 9 Nov 90 16:49:14 EST
Obviously using the Social Security number as the basis of your FONCARD security number is pretty dumb. However, WHO tells Sprint this number? Presumably YOU, the customer. So, just feed them a number sequence which has high mnemonic value for you. Like maybe your phone number, or a slightly modified version of same. I've memorized my 14-digit `random' FONCARD number, but I use it a lot. Sometimes it's annoying to dial 11 digits of access code(1-800-877-8000), then the 11 digits of the destination number, then the bloody 14-digit number. My wife refuses to do this, so we got an AT&T card, where all you have to remember is FOUR DIGITS (tacked on to your 10-digit home number, which you presumably know). Anybody know why Sprint didn't just adopt this method? Chauvinism? Even the police-state People's Republic of Massachusetts allows you to specify a bogus SS No. for your driver's license, instead of your real one, so long as your bogus no. doesn't duplicate somebody else's license no. I recently took out a Hawaii driver's license, and they DEMANDED (over my vociferous objection) the SS No. or else! I'm not mega-paranoid, so I complied. Any Federal privacy laws involved here? Jerry Glomph Black, black@MICRO.LL.MIT.EDU
Re: Carbons (RISKS-10.59)
Douglas W. Jones,201H MLH,3193350740,3193382879 <jones@pyrite.cs.uiowa.edu>
9 Nov 90 21:31:15 GMT
> I saw that all messages printed on the FAX, are also 'burned' in the carbon
> paper ... This means that even if I stand next to the machine to receive
> a private message, people can later just open the FAX machine and read the
> message.
This is not a new risk! For years, typewriters that use a carbon film ribbon
have recorded every word typed on their ribbon. All you have to do to find out
what was typed on a typewriter is to take out the ribbon cartridge, pull out
the used ribbon and read it. The more errors and corrections made during tye
typing, the more garbled the ribbon will be. The risk is at least as old as
the IBM Selectric typewriter, and is well-enough known that it has appeared in
many cheap detective stories.
Doug Jones
Your Flood Stories Please.
"Lindsay F. Marshall" &indsay.Marshall@newcastle.ac.uk>
Mon, 12 Nov 90 16:16:05 GMT
Can anyone who has suffered a problem at their installation caused by water in
*any* form (or in fact any other liquids....) or who has heard of such events
please send me a summary of your experience. Information will of course be
treated in confidence if you should so desire.
Lindsay
MAIL : Lindsay.Marshall@newcastle.ac.uk (UUCP: s/\(.*\)/...!ukc!\1/)
POST : Computing Laboratory, The University, Newcastle upon Tyne, UK NE1 7RU
VOICE: +44-91-222-8267 FAX: +44-91-222-8232
Re: Corrected version of Virus Conf announcement (Re: RISKS-10.59)
Gene Spafford <spaf@cs.purdue.edu>
Fri, 09 Nov 90 21:04:16 EST
The following address was missing from the announcement of the 4th Annual Computer Virus & Security Conference, in RISKS-10.59: Dr. Richard Lefkon Virus Conference Program Chair 609 West 114th Street New York, NY 10025 (212) 663-2315
Report problems with the web pages to the maintainer