The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 72

Wednesday 19 December 1990


o Re: Computer Models Leave U.S. Leaders Sure of Victory
Richard Schroeppel
o Re: Voting Technology
Brian Rice
Jerry Leichter
Michael J. Chinni
Lauren Weinstein
o Re: Legion of Doom
John Boyd
K. M. Sandberg
Brendan Kehoe
o Value of data integrity
Mahan Stephen
o Info on RISKS (comp.risks)

Re: Computer Models Leave U.S. Leaders Sure of Victory

Richard Schroeppel <r@fermat.UUCP>
Wed, 19 Dec 90 14:02:12 PST
My wife's reaction:  Let's just hope Iraq is running the same simulation.

War Game Vendor, Telephone Support Service:
"Really?  ...  That's awful.  ...  I wonder how that happened. ...
 What version are you running?  ...
 4.1.3?  Oh, yeah, that version has a bug in the enemy tanks.  Give
 me your address, and I'll send you the upgrade to 4.2. ...
 Does who have it?  ...
 Probably; we sent out the upgrades three weeks ago.  You should have
 gotten it by now.  Did you send in your registration card? ..."

Rich Schroeppel                    

The topic that wouldn't die: telephone voting

Brian Rice <>
Mon, 17 Dec 90 16:33:50 est
>From the Associated Press (appeared in the News and Observer
of Raleigh, N.C., 17 Dec 1990, p. 2B):

"WINSTON-SALEM, N.C.: State elections officials looking
 over November's balloting say voter fraud has tapered
 in recent years to 'tolerable' levels.

"State Elections Director Alex K. Brock says he foresees
 a day when North Carolinians will vote by telephone.
 Their voice patterns will be confirmed and their votes
 tallied by computer. [...]"

Aaack!  These three sentences have got to be the most thoroughly alarming I've
seen with my morning joe in years, even if I ignore the civil-liberties
implications of "tolerable levels of voter fraud," or of making voting
difficult without a phone, or even of the state's having (or thinking it has)
every citizen's "voiceprint."

I 'spec I need to send Mr. Brock some back issues of the RISKS digest.  It's
alarming when a public official seems not at all to have thought about issues
that seem obvious to you and me...and the most recent N.C. elections should
have given him pause, his satisfaction with them notwithstanding.

Many RISKS readers will have been aware of a recent well-publicized race for
office in North Carolina between candidates we'll call A and B.  Now, candidate
A has for quite some years referred to members of a certain ethnic group as the
"bloc vote"--that is, against him--so it was not a surprise when reports
surfaced after the election that members of A's party went to a precinct
heavily populated by members of that ethnic group and methodically challenged
every single voter's right to vote.  This is an involved process, involving
signatures of elections officials, sealed ballots, etc.; obviously this takes a
while, and enormous delays were created, mitigating turnout.

I'm refraining from naming the candidates, parties, and ethnic groups involved
because I'm not trying to make political hay (yes, I worked for B), because
these reports have not been confirmed, and because the party-A folks were
acting within the letter of the law.  Nonetheless, Mr. Brock apparently hasn't
heard the phrase "denial-of-service attack."  Sigh.

Brian Rice, DG/UX Product Assurance Engineering Data General Corp., Research
Triangle Park, N.C.     +1 919 248-6328

Voting Technology

Jerry Leichter <>
Wed, 19 Dec 90 09:39:00 EDT
William Plummer asks about cryptographic technology for implementing secure
voting.  (He also includes a long ramble about weighting voting by amount of
taxes paid, a social and political issue that is completely independent of
the technology used to implement elections.)

There are, in fact, algorithms to implement such votes.  There are some very
general algorithms allowing groups of mutually-distrustful people to reach a
common decision.  (One way such problems get posed in the theory community is
as follows:  The members of a millionaire's club are curious as to which of
them is the wealthiest.  However, they are also jealous of their privacy, so
none is willing to reveal his actual wealth to any of the others.  Devise an
algorithm which will indicate which of them is the wealthiest, but which will
reveal no other information about their wealth to anyone.  Solutions to this
problem exist.  They are quite non-trivial!)

An algorithm designed specifically for voting was described in Josh Benaloh's
PhD thesis.  (Yale, 1987 or 88 I think.)  In Benaloh's basic algorithm, we
assume a central government and a public, broadcast network.  People vote by
posting various encrypted messages on the network.  The protocol provides two
guarantees:  No voter can determine another voter's vote; the government
cannot fake the outcome (i.e., any voter can look at the published data and,
if the government cheated, determine that fact).

In the basic algorithm, the government can read anyone's vote.  From this
basic algorithm, Benaloh goes on to show how to get by without a trusted
government - essentially, one can split the government's responsibilities up
among a number of independent agents in such a way that only the collusion of
ALL the agents would allow a vote to be read.  (The idea is that you would
choose to do your voting through the Democratic, Republican, and Libertarian
Party clearing-houses, plus for good measure the ACLU and the NRA, figuring
that if ALL of them are allied against you, there's not much point in worrying
about trivialities like vote privacy.)

Finally, Benaloh shows how to construct an election which reveals only the
minimum of information:  Who won, but nothing at all about the vote totals.

Again, the techniques involved are mathematically quite sophisticated.  (They
are closely related to RSA, but not identical to it.)  They are all "efficient"
in the theoretician's sense (polynomial time), but not (yet?) practical for a
real, large election.

If you want further information, at last word mail to was
still being forwarded.
                            -- Jerry

Re: Voting Technology

"Michael J. Chinni, SMCAR-CCS-E" <mchinni@PICA.ARMY.MIL>
Wed, 19 Dec 90 13:05:05 EST
>From "William W. Plummer" <>:
>    The voting system that I would like to see simply weights your vote
> by the number of tax dollars that you pay.  We have often heard that the
> super wealthy use tax loopholes to lower their tax to zero while manipulating
> laws to make this possible.  On the other end of the scale, the poor are
> accused of using tax supported services far in excess of their tax payments;
> the poor tend to vote for candidates that promise to keep up the handouts.
> Of course, it is the middle income people that support all of this.  So, my
> scheme has the appropriate negative feedback built into it.

    Yeah, negative feedback. TO MUCH NEGATIVE FEEDBACK.
    The MAJOR problem with your scheme is that government under it would
only represent those with the most money (the rich).  If your plan was made
law, I foresee the rich changing their tax-status and doing their tax-returns
so that they are taxed the most. This gives them enough votes to elect ANYONE
they want.  Regardless of the votes of everyone else.  This then makes our
country no longer a democracy ruled by the will of the majority, but a country
ruled by a priviledged few (kind of what england was like before the Magna
Carta or what South Africa is like now). What possible results would this have
for the non-priviledged few. Results like:
    result              why
    no labor laws           costly (gives the employee more money
                    and hence more voting power)
    no financial aid for college    costly (more smarts and people might
                    realize that they have effectively no
                    say in the way they are governed)
The idea being that everything that has made the life (working and private) of
the middle and lower classes better, that is funded by the government or was
made possible only by government regulation, would be done away with if it
interfered with what the rich wanted.
    End result - the rich get richer and more powerful and
             the middle and lower classes become one class - the lower

>    A major problem with the system is that it require a constitutional
> amendment. In other words we would no longer have "One man, one vote."  But I
> argue that the Constitution was written before income tax and local taxes
> etc.  In a sense everybody was taxed equally back then.  All this new system
> does is to restore the equality of the voting power.
    Back then it wasn't so much as tax equality as it was to insure that
those being governed had an effective way to decide how they would be governed.

(insert standard disclaimer here)               ...!uunet!!mchinni
Michael J. Chinni, Simulation Techniques and Workplace Automation Team, US Army
Armament Research, Development, and Engineering Center, Picatinny Arsenal, NJ

telephone voting

Lauren Weinstein <>
Tue, 18 Dec 90 18:50:53 PST
In a recent digest, a contributor quoted (without attribution) from an original
Risks message of mine which pointed out some potential problems with
"Dial-A-Vote" systems--particularly in regards to identity issues.  He used
phrases such as "patently false" and "pandering to the fears of the ignorant",
and seemed to feel that other messages pointing out ways to do physical mail
voucher voting invalidated the concerns.

I'd like to point out that my original message was clearly oriented
*specifically* toward the issues of telephone-based voting systems.  I was not
discussing physical mail-based systems.  The author admitted that the issue of
disassociating the vote from its origin in a telephone-based system was a
serious problem.  That's the whole point of my original message!  Given the
realities of modern telephone technology, there is no way for users of such a
system to be sure that their telephone number, and thus their address, has not
been tagged by the voting system.  Even if the system doesn't need to
differentiate among voters in a multi-voter household, the simple capability of
automatically correlating vote with voter location should trigger the Risks
alarm bells.  Anyone who thinks that significant numbers of voters will bother
to vote from payphones (assuming such is possible) to avoid such problems is

Finally, I don't consider pointing out these concerns to be "pandering to the
ignorant".  Even when there is a theoretical way to do the job right (which
isn't always the case), the way the job may actually be done may not avail
itself of the correct techniques, in the interests of time, money, or other
factors.  Unfortunately, it's all too easy for such systems to be made to "sell
to the gullible", particularly when attempts are made, however benignly, to
minimize discussion of the potential problems involved.

Re: Response by Legion of Doom

John Boyd;CRENP <>
Wed Dec 19 10:29:41 1990
>Date: 9 Dec 90 18:26:16 GMT
>From: (Irving Wolfe)
>Breaking and entering is a crime that has two parts: "breaking" and
>"entering."  If you leave your front door ajar, one need not "break" to
>"enter."  If a company leaves the door to its office ajar, it cannot accuse an
>outsider found walking down its hallway (doing no harm) of any crime, it can
>only tell him to leave.

Isn't this trespassing?  If I arrive home with an armload of groceries,
unlock the front door, take say, three steps and set the groceries on the
floor, and turn to lock my door and find you standing in my living room,
you'll stand a good chance of either getting your butt kicked or shot!

From: black@seismo.CSS.GOV (Mike Black)

>3.  "We are in business to do business...".  True, but businesses have a
>responsibility to society to ensure their business does not invite criminal

And don't people in general have a responsibility to society to behave in
acceptable, legal ways?  'The devil made me do it' was never a defense.  So
far, I don't think the phone companies have been sued as being a party to
bookmaking operations.

>5.  Finally, let's try and define a reasonable person on this matter:

>1.  When you hook-up a phone line to your computer, a reasonable
>person would expect to get calls from unauthorized users.

And a reasonable person would expect the company that wrote the software to
have made _reasonable_ efforts to defeat entries by those unauthorized
users (hard-core, criminal hackers notwithstanding).  But then, they've
already taken themselves off the hook with those legalese non-warranties.


  Disclaimer - If I express an opinion, the Air Force will deny I know
               what I'm talking about.

Re: Response to "Legion of Doom" (Wolfe, RISKS-10.70)

K. M. Sandberg <>
19 Dec 90 16:37:46 GMT
>Breaking and entering is a crime that has two parts: "breaking" and
>"entering."  If you leave your front door ajar, one need not "break" to
>"enter."  If a company leaves the door to its office ajar, it cannot accuse an
>outsider found walking down its hallway (doing no harm) of any crime, it can
>only tell him to leave.  Since people here seem so fond of analogies, I'll
>These analogies are silly.

How about trespassing? Actually breaking and entering is a good analogy because
most computer systems do have a lock, the passwords and accounts, but they are
not very strong, like houses. To have not password would be like leaving the
door unlocked, but how many companies do this? Cars are also the same, dare you
say that leaving a nice car around where someone can see it it causing an it to
be stolen? The solution: get rid of everything that might attract someone. Is
this what you want?

Just how strong of a lock must you have before you are no longer accused
of making it easy for someone to break in?

>If we are to have a law in this area, it should be simple:  Attempting to log
>into a computer system or otherwise access it without having been explicitly
>invited should be a crime whether or not the attempt succeeds and whether or
>not any damage was done.  Probably using a normally-public area like an ftp
>or anonymous uucp directory should be explicitly excepted, as should a small
>number of attempts to log into a system accidentally, provided no hacker-type
>activities (systematically guessing passwords, taking advantage of system
>defects to gain privileged access, etc.) were involved.
>But if this is to be a crime, it is fundamentally unrelated to old-time crimes
>like breaking and entering or car theft.  We are making it a crime because
>we'd like to discourage it, not because there's a clear moral issue or any
>harm being done.  There may or may not be.  The law is for our convenience,
>and has no moral side, and the violator is not to be punished for his evil
>character, but merely for having violated a well-known law carrying a
>well-known penalty.

I'm sorry, but I do think that breaking in to a computer has a moral side.
People should take responsibility for their own actions and know that something
is wrong and not just because of a law. Society can not, nor should not in my
opinion, make a law for every possible thing that can or will be done. A person
has to be reasonable and for someone to say that they did not think that
breaking into a computer system (getting around the password protection at
least) was not wrong is being unreasonable, besides if they didn't think it was
wrong, why do they hide the fact that they are doing it?

On the computer systems I have been responsible for I have put a notice
on login "Unauthorize access is prohibited", which makes it clear that
unless you are authorized, you don't belong on the system. Even use
by employees can be questioned if they use the system for non-work
related things that impact the system, but this is not the intent.


It would be interesting if people would listen to what they are saying,
but then again others are not listening either, so why should they?

Re: Response to article on "Legion of Doom" sentencing

Brendan Kehoe <>
Wed, 19 Dec 90 14:34:29 GMT
In Risks digest 10.70, Irving Wolfe ( wrote:

> Attempting to log into a computer system or otherwise access it
>without having been explicitly invited should be a crime whether or
>not the attempt succeeds and whether or not any damage was done.

  How in the world would such a thing be enforced? Agreed, you'd have to give
leeway for the cases like ftp/uucp, accidental attempts, etc.  But trying to
word such a law would be sheer hell -- the number of loopholes that'd be
created would far outweigh the number of benefits.  For example: just last
night, someone tried to log in as root through FTP to one of my machines. How
would this fall under these guidelines?  It's an FTP session, so it's got the
shadow of "exempt" hanging above it. But wait! It was an attempted login to
*the* privileged account, right? True. But the person could easily say they
were root on their own machine (assuming it was the same person) and they just
hit &eturn> at the name: prompt before they realized what they were doing, and
subsequently were stuck with logging the FAILED LOGIN message. A really messy

  I completely agree that there should be some sort of law concerning this
issue, even moreso in recent months (with the # of attempted logins from
unrestricted terminal servers on the rise). But trying to make such a law real
would be dangerously close to constantly monitoring every connection for
anything that some "objective party" deems suspicious.

>But if this is to be a crime, it is fundamentally unrelated to old-time crimes
>like breaking and entering or car theft.  We are making it a crime because
>we'd like to discourage it, not because there's a clear moral issue or any
>harm being done.  There may or may not be.

  Exactly. We're trying to take a law that restricts walking pets in the park
and make it apply to bringing your adorable scorpion "Spike" for a little jaunt
down the block.

     Brendan Kehoe - Widener Sun Network Manager -

Value of data integrity

Wed, 19 Dec 90 10:16:00 CST
     I have a few thoughts on the ideas expressed [in RISKS-10.66?] about "no
damage being done by an unauthorized user".

     The data in a computer has value.  This applies to software under
development, experimental records, financial records, and almost all
other forms of electronically recorded data.

     A large part of the value of the data lies in the knowledge of the
integrity of the data and the confidence placed in the data as a result.  If an
unauthorized used has gained the ability to change the information in the
computer then REGARDLESS of whether any information was actually changed the
degree of confidence in this information is necessarily lessened.

     Restoring the original level of confidence in the data will require some
finite amount of effort, whether restoring from backups, reconstructing,
comparing against old printouts, or other techniques.  The amount of effort
depends on the value of the data and the willingness to accept a lesser
confidence level, as well as other implementation dependent details.

     Viewed in this respect, unauthorized access to the system does result in
losses to the owners of the system whether or not any alteration of the
information took place.

     These are my opinions only and do not necessarily represent any
other person or organization.

Stephen Mahan, Naval Coastal Systems Center, Panama City, FL  32407-5000

Please report problems with the web pages to the maintainer