The RISKS Digest
Volume 21 Issue 11

Wednesday, 8th November 2000

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Did a human factors problem affect the U.S. presidential election?
Steve Bellovin
More on Florida in this and previous elections
E-voting as a panacea for Florida count?
Jeremy Epstein
CNN: E-voting could have prevented U.S. election chaos
Evan McLain
"REALITY RESET": "Hacking the Vote"
Lauren Weinstein
Web sites report exit poll results before networks do
Political dirty tricks, cyber-style
Vote auction Web site moves operations overseas
UK air-traffic control problems
Indianapolis FAA route center running on generators for a week
Nathan Brindle
Raccoon power outage over the weekend
Dan Ellis
Researchers able to defeat digital music security measures
Verisign and MS authenticode
Carl Byington
Microsoft Web site vandalized
The latest in anti-spam technology
Greg Compestine
Re: EMI, etc.
Pete Mellor
2001 USENIX Annual Technical Conference - Call For Papers
Andrea Galleni
Info on RISKS (comp.risks)

Did a human factors problem affect the U.S. presidential election?

<Steve Bellovin <>>
Wed, 08 Nov 2000 14:15:47 -0500

The outcome of the U.S. Presidential election may have been determined by
poor human factors in a computerized vote-casting system.

As of this writing (early afternoon on Wednesday), Bush and Gore are
separated by less than 1800 votes (.03%) in Florida.  Due to the arcana of
U.S. election law, whoever carries Florida at this point will win the
overall election.  And there's a problem in one county that may have
resulted in ~3000 votes that were intended for Gore in fact being cast for
Buchanan, a minor party candidate.

Palm Beach County uses a punch-card voting system.  Because of the layout of
the names relative to the holes and the buttons to punch those holes, it was
apparently easy to get confused about how to vote for Gore.  Apart from all
the calls to the election board by confused voters, there is circumstantial
evidence from the actual tally: Buchanan drew 3407 votes in this county,
more than anywhere else in the state, and considerably at variance with both
the usual demographics (this county is heavily Democratic, and would be
expected to vote for Gore) and with the number of votes Buchanan received in
similar, neighboring, larger counties (789 in Broward; 561 in Miami-Dade

The director of the state Department of Elections doesn't think there's a
problem — but he was appointed by Jeb Bush, governor of Florida and brother
of the Republican presidential candidate...

		--Steve Bellovin

More on Florida in this and previous elections

<"Peter G. Neumann" <>>
Wed, 08 Nov 2000 16:17:09 PST

In addition to the Palm Beach County curiosity noted by Steve Bellovin, a
heavily loaded ballot lock box was found today in a heavily Democratic
precinct.  I don't think this is what Al Gore meant by a "Lock Box on (Social)

  [CORRECTION ADDED IN ARCHIVE COPY: Apparently this box contained
  supplies, not ballots.  But *The NY Times* 10 Nov noted various
  precincts in which ballot boxes and a bag of cards had not been
  included in the original count.]

For some historical perspective, we might recall the 1988 election in
Florida, in which there were 200,000 fewer votes for the Senate race than
for the presidential candidates, and the remarkable anomaly was mostly only
in four counties administered by a particular computer system vendor.  The
declared winner was Connie Mack, who has just retired, 12 years later.  See
*The New York Times*, 12 Nov 1988, and RISKS-7.78.

And then there was the St Petersburg city election in March 1993 in which
1429 votes were recorded for the incumbent mayor tabulated under an
industrial precinct that had ZERO voters, where the mayor won the election
by 1425 votes.  Fuzzy math strikes again?  See Rebecca Mercuri, Corrupted
Polling, Inside Risks, *Communications of the ACM*, vol 36 no 11, Nov 1993,
p.122, on her Web site at

I would not trust a computerized voting system even if I had written it
myself, because of the many ways in which such systems can be subverted.
(Last night's events will undoubtedly slow down the final wrapup of
Rebecca's PhD thesis noted in RISKS-21.10, because there is more potential
grist for her mill — not just in Florida, but in other states as well.)

E-voting as a panacea for Florida count?

<"Jeremy Epstein" <>>
Wed, 8 Nov 2000 15:28:02 -0500
An article on quotes "experts" as saying that the problems getting
an accurate vote could have been avoided if everyone used electronic vote
counting technology.  [Note: not online voting... just electronic voting

The article says in part "'Of course you would have 100 percent accuracy
with electronic voting. That would prevent the necessity of a recount,' said
Hans van Wijk, who markets electronic voting systems for Groenlo,
Netherlands-based Nedap.  In the Netherlands, some 80 percent of precincts
use e-voting, he said."

As has been discussed numerous times in RISKS (including yesterday in
RISKS-21.10), electronic counting is certainly not 100% accurate.  But if
this is what the public thinks of electronic counting, will there be the
same naive expectations about accuracy of online voting?  The article talks
about that too (quoting someone from Baltimore Technologies as saying
"Online voting would not only dramatically reduce the count time but also
ensure a more reliable initial result").  There is an acknowledgement that
online voting has its own dangers, noting the risks of accurate
identification of users, denial of service, and malicious attacks.  No
recognition though of the risks of just plain malfunctioning software,

Gotta go.  All this gore-y discussion of a recount in Florida has me


  [For those of you who have not seen it, PLEASE read the
  People For Internet Responsibility Statement on Internet Voting:

CNN: E-voting could have prevented U.S. election chaos

<McLain Evan M CPT <>>
Wed, 8 Nov 2000 19:43:29 -0000

CNN's story about voting technology, on-line and otherwise:

An interesting quote from the article: "But Dublin-based electronic security
company Baltimore Technologies said reliability is no problem. "Online
voting would not only dramatically reduce the count time but also ensure a
more reliable initial result," said a spokeswoman. She added that online
voting would help older, ill, and disabled voters to take part in the

RISKS readers will be happy to see there is also a discussion of potential
fraud and security risks.

Evan McLain <>

"REALITY RESET": "Hacking the Vote"

< ("Reality Reset")>
Wed, 8 Nov 2000 12:46:51 -0800 (PST)

		             "REALITY RESET"
	          Lauren Weinstein (

			    November 8, 2000
		            Today's Edition:
                           "Hacking the Vote"

       To subscribe or unsubscribe to/from this list, please send the
       command "subscribe" or "unsubscribe" respectively (without the
       quotes) in the body of an e-mail to "".

"Hacking the Vote" (November 8, 2000)

"If they'd been listening to me all along, all of this election confusion
could have been avoided," said Paddy Mastoid.

Paddy is the president of, a
firm promoting Internet voting systems.  I found 12 messages from him on my
voicemail this morning, as the nation awoke to the bizarre aftermath of
election day, with a historically close election still undecided and the
U.S. population swinging slowly in the wind.

"Look at this mess," said Paddy.  "Now they have to re-count all those votes
in Florida, there are concerns over voting irregularities down there, and we
might well end up with a President who didn't even win the popular vote!
Talk about not having a mandate.  And I could have prevented all of this

"How so?" I asked.

"Basically, our plan is to eliminate all those long lines at those obsolete
polling places.  We want to toss the antiquated paper ballots, punch cards,
and mechanical voting machines out the window.  We'll let people vote online
using the same home and office PCs that they already use for accessing
offshore gambling sites and downloading porn."

"Hmmm.  Sounds like a tempting goal, but aren't you worried about security,
reliability, all that sort of stuff?" I asked.

"Hey, we didn't just fall off the turnip truck.  We're using secure,
redundant Web servers, so your vote will be just as safe as your credit card
numbers during online purchases," said Paddy.  "You're happy buying things
online, aren't you?"

"Well, no, not really, not with all of the security breaches at sites that
were supposed to be secure, and their compromising of personal information.
I realize that things can go wrong with old-style voting systems, especially
if they're set up badly, but at least with them it's usually possible to do
various forms of meaningful re-counting when there's a question about an
election's validity."

"But that's my whole point!" said Paddy.  "Look at all the trouble being
caused by even being *able* to do a physical re-count.  Wouldn't it be better
to have a nice, computerized system where all the votes are electronic and
stored safely in computers where nobody but programmers, system
administrators, and top election officials can screw around with them?  You
don't think any of those guys would mess things up do you?  When it's all in
the computer, you don't have any *choice* but to trust the computer!  You
can't really re-count so there'd be no point to complaining.  Problem

"Hmmm.  What about hackers?  If these systems are on the Internet, they'd
seem just as vulnerable to attack and manipulation as any other so-called
secure sites."

"Not to worry!" said Paddy.  "We ran a contest and invited hackers to crack
our demonstration system.  Five people tried and the only guy who got in was
a 12 year old kid in West Palm Beach, and he promised cross-his-heart not to
tell anyone how after we gave him a DVD player!  No problem there."

"But why would most hackers even want to tip their hands by playing with your
demo sites?  Wouldn't the real pros just wait until a real election and then
flood your servers with garbage to block real voters out?  Couldn't they
plant surprises in unrelated downloads that could hide on people's PCs for
months or years before being activated on election day to disrupt or
manipulate the voting process?  There's really no way to secure the typical
operating systems that most people have on their home or office computers
from those sorts of attacks," I said.

"Picky, picky, picky!" said Paddy.  "I say let's just deploy these Internet
voting systems now and keep the people happy.  If these hypothetical hackers
you're talking about are really that good, we probably wouldn't even realize
that they'd been screwing around with the election anyway.  Ignorance can be
bliss.  And that would sure be preferable to all the hassles they're having
in Florida today!"

"I really don't think that's necessarily true ..."

"And at least we wouldn't have network TV anchors getting punchy from being
up all night!" said Paddy.

"You do have a point about that," I said.

"I knew that I could convince you, Lauren."

Lauren Weinstein, or or
Co-Founder, PFIR - People For Internet Responsibility -
Moderator, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy
Copyright 2000 by Vortex Technology.  All rights reserved.
This item may be freely redistributed so long as it is complete
and includes this notice.

Web sites report exit poll results before networks do

<"NewsScan" <>>
Wed, 08 Nov 2000 09:12:36 -0700

Whereas mainstream news organizations were bound by self-imposed rules
preventing them from releasing state exit poll results before the polls
closed, a number of politically oriented Web sites leaked the results as
soon as they were available. Voter News Service (VNS), the consortium of
news organizations that conducted the exit polls, is threatening to bring
legal action against the sites that leaked early results, including and — which, however, indicated that they
obtained the information not from VNS but from unidentified sources. editor Michael Hirschorn said that he had received e-mail leaks
from dozens of mainstream journalists, and that the public have as much
right to know that kind of information as journalists do. He added: "The
genie is out of the bottle, and it's wishful thinking that you could put it
back in. Once this information is out, thanks to e-mail and the Internet, it
becomes incredibly easy to distribute." [AP/*San Jose Mercury News*, 7 Nov
NewsScan Daily, 8 Nov 2000]

Political dirty tricks, cyber-style

<"NewsScan" <>>
Wed, 08 Nov 2000 09:12:36 -0700

In the closing hours of the election campaign the site of the Republican
National Committee (RNC) was vandalized by hackers who urged visitors to
vote for Gore. The Democratic National Committee (DNC) denied it had any
connection to the act of vandalism, and said intruders had forced the
shut-down of the DNC's external e-mail system.  [AP/*USA Today*, 7 Nov 2000; NewsScan Daily, 8 Nov

Vote auction Web site moves operations overseas

<"NewsScan" <>>
Thu, 26 Oct 2000 09:44:02 -0700

A Web site offering to sell 21,000 votes for President to the highest
bidder has changed its domain name and transferred its registration to a
company based in Germany. The site asks visitors to
fill out personal details and then offers to sell the votes in blocks
broken down by state. The goal, according to the Web site, is to bring "the
big money of campaigns directly to the voting public," but the owners, who
are Austrian, say they still need to work out the details of how everyone
would get paid, and how to verify that they cast the right ballot. The site
has been criticized by election officials in Michigan, New York and other
states, but as of its reopening this week, more than 2,500 California
voters had offered their votes and the leading bid was $48,000, or $19.61
per vote. In August, six people offering to sell their votes for President
drew bids as high as $10,000 on eBay before the online auctioneer shut them
down.  [AP 25 Oct 2000
; NewsScan Daily, 26 Oct 2000]

UK air-traffic control problems

<"Peter G. Neumann" <>>
Sat, 04 Nov 2000 20:27:12

If you are interested in aviation safety, you might want to check out, click on "Forums", and then "rumors and news", for a
remarkable collection of computer problems related to ATC in the UK.

Indianapolis FAA route center running on generators for a week

<Nathan Brindle <>>
Tue, 07 Nov 2000 23:45:58 -0500

A week later, the FAA route center at Indianapolis is still running on
backup generator power ever since a 31 Oct 2000 power outage that "caused
flight delays and at least two close encounters between airplanes".  The
cause of the original outage was still unknown.  The route center has 6
diesel generators, three of which are used normally and the other three are
for backup.  However, after the outage, the diesels fired up, but the main
radar could not be brought back up.  The 70 controllers had to had planes
off to other centers.  Close calls were reported by a private jet and a
USAir flight.  Onboard collision avoidance was given credit for avoiding any
tragedies.  [Source: An article in the *Indianapolis Star*, 7 Nov 2000
(Generators used for flight routing as a precaution, by Terry Horne);

Raccoon power outage over the weekend

<Dan Ellis <>>
Mon, 6 Nov 2000 11:19:42 -0800 (PST)

I received the following e-mail on a Monday afternoon (after the problems
had been fixed).  Several physical devices had been damaged (network hubs
and switches) at UC Santa Barbara making for a very unproductive time for
many employees and students and for a very stressful time for facility and
system administrators.

The point: the weak link will be found and exploited by somebody or
something, causing discomfort to us all.  Malicious intent is not a

Dan Ellis, PhD student, UCSB,  (805) 893-4394

> Date: Mon, 06 Nov 2000 08:33:55 -0800
> From:
> To:,
> Subject: power outage over the weekend

> Information only --

> A bit after midnight Friday/Saturday, a raccoon strolled into the power
> substation that serves this end of campus and got across a transformer
> that takes the 16kV line down to 4160VAC.  The raccoon paid the price for
> this, and he is now merely a warning example of how fragile our power
> infrastructure can be.

> However, various buildings on campus also paid a price, as all power on
> the "A" feeder was off line for nearly two hours.

> Some functions in some buildings had not been restored by this morning,
> however, including HVAC and equipment chilled water in Engineering 1.
> Almost all this equipment is now back in operation.  You may wish to check
> computers and process controllers to determine if harm was done during
> this outage.

    [A Rocky Raccoon gets added to the long list of Reubened Mammalians.
    Must have been Raccoonoitering.  After all, it was noit toim, even
    if not Down Under!  PGN]

Researchers able to defeat digital music security measures

<"NewsScan" <>>
Tue, 24 Oct 2000 08:17:09 -0700

A team of computer scientists at Princeton and Rice Universities and the
Xerox Palo Alto Research Center (PARC) has been able to remove the invisible
"watermarks" used by the 200-company Secure Digital Media Initiative (SDMI)
to protect digital music files from pirates.  SDMI had offered a prize
[RISKS-21.05] to anyone who could defeat its various security measures, four
out six of which make use of watermarks.  SDMI's Tala Shamoon said, "I
expected some would have fallen.  This is part of an empirical process to get
the best technology."  [AP/MSNBC 24 Oct 2000; NewsScan Daily, 24 Oct 2000]

Verisign and MS authenticode

<Carl Byington <>>
Mon, 23 Oct 2000 13:04:59 -0700

MS has an authenticode mechanism that allows publishers to digitally sign
their code using certificates from Verisign. The code is signed via a MS
program (signcode) with
as an option.

The Verisign stuff is suppose to properly timestamp the signature, but
their clock is very wrong!! I did the signature at 12:42, and the .exe now
has a new modification timestamp of 12:42, but the certificate claims it
was signed at 12:46. So we cannot really believe the times in any of these
Verisign certificates.

Microsoft Web site vandalized

<"NewsScan" <>>
Fri, 27 Oct 2000 09:00:30 -0700

Microsoft's internal computer network was invaded by "trojan horse" software
that caused company passwords to be sent to an e-mail address in
St. Petersburg, Russia. Calling the act "a deplorable act of industrial
espionage," Microsoft would not say whether or not the hackers may have
gotten hold of any Microsoft source code.  [AP/*The New York Times*, 27 Oct
NewsScan Daily, 27 October 2000]

  [The following issue of NewsScan on 31 Oct 2000 (Hallowe'en!) noted
  Microsoft says the attack lasted only 12 days instead of the 5 weeks
  reported earlier, and no major corporate secrets were stolen.  PGN]

The latest in anti-spam technology

<"Greg C" <>>
Mon, 6 Nov 2000 08:27:47 -0800

This morning I received a spam item that originated in a yahoo
account. Yahoo seems to be pretty good at responding to spam, so I forwarded
a report to them. I noticed in the body of the email that there was the
quasi-traditional "to unsubscribe send your email address" to an account at

So I did the obvious and forwarded the spam again to myrealmailbox (after
first browsing their Web site trying in vain to find a policy towards spam.)
In return I received this reply:

>Subject: Automatic reply
>Date: Mon, 06 Nov 2000 09:09:05 +119303947 (MDT)
>Novell and are not responsible for this
>mailing, it has not used our network or e-mail system.  Novell
>Internet Message System (NIMS) employs some of the most
>sophisticated anti-spamming technology in the industry.
>The sender fraudulently used
>IDs for replies or opt-out mails. These accounts
>never existed or have been terminated. We are committed
>to helping to eliminate this type of mail system

The RISKS? Apparently the technology is so advanced it's learned the art of
plausible deniability. There is also the RISK that a human will never find
out what I originally complained about and modify the system appropriately.

Greg Compestine

Re: EMI, etc. (Ladkin, RISKS-21.08)

<Pete Mellor <>>
Mon, 16 Oct 2000 22:46:01 +0100 (BST)

Regarding the enormous convoluted problem of how much EMI is required to
cause a spark and hence an explosion in a fuel tank (Re: EMI, TWA 800 and
Swissair 111, from Peter B. Ladkin, RISKS-21.08), Andy Weir, in his book
"The Tombstone Imperative" made a very simple suggestion:

  Fill the vacant space above the fuel in the tanks with nitrogen,
  and any spark, however caused, cannot lead to an explosion.

Should not engineers welcome the most simple solution to a problem?

Should we not listen to people who are not engineers?

Peter Mellor, Centre for Software Reliability, City University, London EC1V 0HB
+44 (0)20 7477 8422  Pete Mellor <>

2001 USENIX Annual Technical Conference - Call For Papers

<Andrea Galleni <>>
Thu, 26 Oct 2000 17:28:02 -0700

2001 USENIX Annual Technical Conference Announcement and Call for Papers
25-30 Jun 2001, Marriott Copley Place Hotel Boston, Massachusetts USA

Sponsored by USENIX, the Advanced Computing Systems Association

FREENIX Refereed Track: November 27, 2000 General Session Refereed
Track: December 1, 2000 Notification to authors: January 31, 2001
Camera-ready papers due: May 1, 2001.  Program Chair: Yoonho Park, IBM Research

USENIX Conference Office
2560 9th Street, Suite 215
Berkeley, CA 94710
USA Phone 510-528-8649;
Fax 510-548-5738 email:

Please report problems with the web pages to the maintainer