The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 13

Sunday 3 December 2000


Perspective on election processes
A better election process?
Dave Stringer-Calvert
Australian Internet cable severed
Dave Farber
CIA secret chat room investigated
McAfee VirusScan update crashes Windows
Ticking time bomb in buffer overflow
Jonathan Hayward
Re: The end of the Multics era
Tom Van Vleck
I am glad about the quality of my driver's license photo
Joel Garry
Re: Engine cutouts
Paul Nowak
REVIEW: "Practical Firewalls", Terry William Ogletree
Rob Slade
Info on RISKS (comp.risks)

Perspective on election processes

<"Peter G. Neumann" <>>
Sun, 3 Dec 2000 9:59:37 PST

We have long noted in this forum and before that in the ACM Software
Engineering Notes (which I created in 1976 and edited for 19 years, until
succeeded by Will Tracz -- who has carried on the tradition) that there are
very serious actual and potential problems in computer-related elections.
The current issue of *The New Yorker* (4 Dec 2000) begins with The Talk of
the Town section by considering the current mess: ``But it is not as if we
were without warning.''  The article notes the series of writings of David
Burnham in *The New York Times* in 1985 and Ronnie Dugger's long article in
*The New Yorker* issue dated 7 Nov 1988.  The article notes that Dugger's
1988 article quotes Willis Ware, who has long been a wise observer:

  There is probably a Chernobyl or a Three Mile Island waiting to happen
  in some election, just as a Richter 8 earthquake is waiting to happen
  in California.

Many people have been asleep at the wheel for too long.  See the Election
material on my Web site
for pointers to some of the collected RISKS-historical material, especially
the Illustrative Risks section on Election Problems, a document in which
I have long cited Burnham's articles from *The NY Times*, 29 and 30 Jul, 4
and 21 Aug, and 18 Dec 1985.  (I have already noted the 14% undervote for
the Senate race in Florida in 1988.)  What we are experiencing now is not a
new problem.  Unfortunately, it had not previously reached Chernobyl-like
proportions or surfaced in a close presidential election.  Nevertheless, the
process that is currently before us is finally forcing an examination of
many of the relevant issues.  I hope that some of the more basic deeper
issues will not be ignored in trying to resolve the immediate issues.  The
time has come for a serious reassessment of the entire process.

Apologies for the long gap since the appearance of RISKS-21.12 on 11 Nov
2000.  We have received an enormous amount of e-mail on this topic, although
some of it has been superseded by events, and some of it is too politically
motivated to include here.  There are so many issues at the moment, such as
chad slots that have not been cleaned in many years, the causes of dimpled
punched cards, absentee ballot irregularities, the desirability of manual
recounts in Florida and New Mexico and elsewhere, etc., that we cannot begin
to enumerate them here.  On the other hand, objectivity would seem to be
extremely desirable at this time.

Let me offer just a few suggestions:

 * In the UK, Canada, France, Germany, and many other places, ballots for
   national elections consist of a single piece of paper with one candidate
   to be selected for one office.  This is an extremely reliable process, is
   counted very quickly in a highly distributed fashion, and seldom
   challenged.  Perhaps in the U.S., elections for the President should be
   considered a Federal function and conducted by a one-issue paper ballot,
   with all other election issues run by local jurisdiction in their own
   way, as is the case at present.  Even in such a simple paper ballot, the
   challenges of avoiding fraud and accidents are significant, but by no
   means unsolvable.  The reliability can indeed be greater than in all of
   the alternatives.

 * If ballots are to be recorded and counted electronically, some sort of
   nonforgeable, nonalterable, and nonbypassable audit record must exist to
   make electronic tampering and accidents infeasible.  Of course, voter
   privacy also needs to be honored.  No existing electronic systems have
   anything close to what might be considered adequate, and the election
   system developers (with proprietary closed-source code) do not seem eager
   to take the extra miles needed for greater integrity.  Claims of
   integrity are not backed up by standard practice of secure systems
   (which itself is extraordinarily weak), and no one seems to be applying
   even the relatively minimal standards of the Generally Accepted System
   Security Principles
   or reasonable certification processes.

 * Voting by the Internet, even if only from well established polling
   places, is and will remain extraordinarily risky because of the inherent
   untrustworthiness of computer systems attached to the Internet and
   indeed the networking itself.  It should not be recommended for use
   in the foreseeable future.

 * Fraud and accidents must be anticipated throughout the election process.
   Election systems must be designed, implemented, and operated as systems
   in the large, and the human interfaces (for voters, administrators,
   maintenance personnel, etc.) must be considered as integral parts of
   the system.  Any system should have live checking for invalid ballots.
   This existed decades ago in lever machines, and is common in electronic
   systems.  If punched cards survive after 2000, card systems could easily
   include a single precinct display device that checks for overvoted or
   otherwise invalid ballots and for undervoted ballots before they are

 * I previously noted the doctoral thesis work of Rebecca Mercuri.  She has
   devoted an entire dissertation to the topic of election system integrity,
   and particularly the conflicts inherent with process integrity and voter
   ballot privacy.  The thesis takes a broad system approach to voting
   security/integrity/reliability, and is in fact relevant in a much broader
   context.  Highly recommended.  For information, see her Web site:
   Rebecca also considers a proposal for an auditable paper trail of each
   electronic ballot that is verified by each voter before leaving and
   automatically deposited in a tamperproof receptacle.  This is still not
   enough, but is worth considering as one more integrity measure.  (For
   example, voters should not be allowed to photograph that record, because
   of the requirement that votes must not be salable, for example based on
   paper evidence of how you voted!)

Many wags have cited the aphorism that perfection is the enemy of the good.
In election systems, there will never be perfection.  But the existing state
of the art is the enemy of sanity, and a rush to all-electronic voting is
utter madness -- even though it may appeal to advocates of conceptual
simplicity.  It is by no means an easy path, if all of the desired
requirements of the voting process are to be satisfied.  And there is an
enormous gap between the concept and an implementation that provides any
real assurances.

  [weak week typo fixed  PGN]

A better election process?

<Dave Stringer-Calvert <>>
Fri, 01 Dec 2000 13:39:28 -0800

If the election is not decided by the beginning of April 2001, then next time
let's take inspiration from the lottery -- lottery `turn out' is much higher
than in elections, and there is already a large investment in the necessary
infrastructure at your local 7-11 to handle it.

Pay to vote.  Pay $1 to cast a vote (we suggest voting early, and often).
Note that, for the lazy voter, the machines already have a `random pick'
function, if you have difficulty deciding on a candidate for yourself.

The collected monies are placed in a large fund which is either:

a) distributed to the `winners' of the election (winner := people who
   voted for the winning candidate);

b) distributed to the `losers' (loser := NOT winner), to compensate them
   for living under an administration they did not choose;

Of course, this would imply a tracking system in order to distribute the
`prize fund', violating the principles of anonymity of voting.  So let's
turn this upside down and offer a more effective use of campaign funds --
pay the voters who turn out, say $5 each.  They could use this to play the
`real' lottery, and perhaps by voting next year, you could win enough to run
for presidential office in 2004...

Dave (who doesn't have the right to vote anywhere, but can still play
the lottery)

Australian Internet cable severed

<Dave Farber <>>
Tue, 21 Nov 2000 21:05:35 -0500

  [PGN-ed from Dave Farber's IP.]

Australia's largest international Internet cable was severed on 20 Nov 2000
partially disrupting Internet traffic in Singapore, Indonesia and
Australia. The cable, carries about 60 percent of Australian ISP Telstra's
international Web traffic. While Telstra has since managed to
redirect most of its Internet traffic to another undersea cable, bringing its
Internet services back to around 75 percent of capacity, its not yet been
able to determine how long it will take for Internet traffic across the
cable to return to normal.

  [For Dave's archives and subscription information, see
  . PGN]

CIA secret chat room investigated

<"Peter G. Neumann" <>>
Mon, 13 Nov 2000 08:16:29 -0500

Following onto but totally unrelated to the John Deutch saga (RISKS-20.78),
the CIA has uncovered a secret chat room within its classified confines ``to
trade off-color jokes, musings, and observations that went undetected for
more than five years'' -- involving about 160 employees.

[Source: URL:,4586,2652732,00.html,
CIA secret chat room investigated, Tabassum Zakaria, Reuters, 12 Nov 2000,
initially reported by *The Washington Post* on 12 Nov 2000.  PGN-ed]

  [Typo in 20.78 fixed in archive copy.  PGN]

McAfee VirusScan update crashes Windows

<"Peter G. Neumann" <>>
Sun, 3 Dec 2000 10:11:16 PST

Windows 95, 98, and NT all seem to have crashed under McAfee virus
definition file version version 4.0.4102.  It includes a driver that
actually imitates the virus.  Network Associates recommended starting in
Safe Mode and disabling VirusScan's startup scan.

  [Only 4102 versions?  Be sure to subscribe to the virus-a-day club.]

Ticking time bomb in buffer overflow

<Jonathan Hayward <>>
Wed, 22 Nov 2000 14:27:19 -0600

A couple of months ago, a buffer overflow vulnerability was discovered in
Outlook Express that allows arbitrary code to be executed when the user
downloads messages with mauled date headers.

MicroSoft has released a patch that many people consider a cure worse than
the disease.  They still have yet to release a patch that users won't curse.

The Morris Internet worm hit the Internet at a time when there was no money
to be made on it by insider trading.

Am I the only one to see a time bomb here?


Re: The end of the Multics era

<Tom Van Vleck <>>
Sun, 12 Nov 2000 11:06:30 -0500

Multics's ideas and approach to problem solving continue to be relevant.
Those who had the privilege to work with the system and its team remember
the experience fondly and apply its many lessons to new challenges.  As I
have written elsewhere, "as long as we have Multicians, we have the best
part of Multics."  Let's all use what we learned, and do some more work we
can be proud of.

Incidentally, the 9 goals are in "Multics -- the First Seven Years" by
Corbato/Clingen/Saltzer, 1972 FJCC, available on the Multicians website,

I am glad about the quality of my driver's license photo

<Joel Garry <>>
Sat, 11 Nov 2000 14:02:05 -0500

The following is a paragraph from an article on entitled
"Convention for chiefs of police displays crime-fighting tools," about The
International Association of Chiefs of Police having their convention in
San Diego:

  Also on display will be the RangeFinder, a facial recognition system that
  is supposed to be able to scan everyone from people seated in cars to
  those standing at a public gathering and automatically identify them from
  data in government computer files. It is touted as capable of making
  allowances for changes in appearance of the people it scans, such as
  through aging, hairstyle alteration and weight gain or loss, said Mike
  Maloney, a spokesman for NEC.

Unfortunately NEC doesn't seem to have posted details of this yet on the
website I checked (, which does have details about a
fingerprint device mentioned in the article).  However, it seems to me there
would be a risk of extrapolation error, as well as pattern matching variance
issues.  Beyond that, the differential between what humans perceive and what
a technological device observes has already proved challenging to the legal
system, and there is certainly a risk of believing the computer over people,
as well as criminals modifying their behavior to fool the technology.  I
can't help but wonder how much of this technology relies on "image
enhancement," where the algorithms employed may even have a net effect of
supporting discredited theories of physiognomy.

Re: Engine cutouts (Colburn, RISKS-21.10)

<Paul Nowak - SUPCRTX <>>
Fri, 1 Dec 2000 18:01:16 -0700

I got a kick out of this one having done the same thing with my 1990 Nissan
300zx when I first purchased it. My girlfriend lived in Pittsburgh, and
between there and DC was a stretch of road that got over a steep ridge by
means of a traverse. This naturally left little room for the Bear to set up
and was the perfect place to test out my new wheels. I was carefully
watching tach and speed so I would know the capabilities and handling of the
car. Unfortunately I was unaware that there was an engine cutout and thought
I had blown my engine. I just coasted down (I know how to drive with the
power assist gone...just keep the key at "ON" to avoid the little difficulty
of the steering column lock) and *very* tentively re-started.

The real risk is not advertising *all* the safety features.


REVIEW: "Practical Firewalls", Terry William Ogletree

<Rob Slade <>>
Mon, 20 Nov 2000 14:56:51 -0800

BKPRCFRW.RVW   20000823

"Practical Firewalls", Terry William Ogletree, 2000, 0-7897-2416-2,
%A   Terry William Ogletree
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2000
%G   0-7897-2416-2
%I   Macmillan Computer Publishing (MCP)
%O   U$34.99/C$52.95/UK#25.50 800-858-7674
%P   491 p.
%T   "Practical Firewalls"

Unfortunately, not much of this book is really practical.  And a lot of it
is not about firewalls, either.

Part one presents the fundamentals of understanding firewalls and security.
Chapter one looks at firewall basics, mentioning many topics but doing a
poor job of explanation.  Since the material is very generic there is almost
no detail.  The TCP/IP content, in chapter two, is also quite vague, with
lots of irrelevant details like DNS (Domain Name Service) record fieldnames,
but little related to security, and that of low quality.  Security and the
Internet gives a general listing of threats, most not related to firewalls,
in chapter three.  Chapter four has some good discussion of some aspects of
policy and design, but it is limited.  There are rough outlines of firewalls
structures, but the material on pros and cons is poor.  (As the book
progresses there are increasing amounts of repetitious text, as this chapter
amply demonstrates.)  The review of packet filtering, in chapter five, has
some good points, but too much of the text relies on "one size fits all"
pronouncements.  Again, there is a lot of irrelevant detail on TCP/IP
headers and not much on, say, filtering rules.  Because a bastion host is
very highly secured itself, chapter six is merely general security material,
touching on too many operating systems for good coverage.  Some good points
but limited scope makes the proxy server topic weak in chapter seven.
Chapter eight does slightly better on auditing, by limiting itself to UNIX
and Windows NT.

Part two looks at encryption, the relationship of which to firewalls is
problematic.  Chapter nine does not really cover encryption technology,
being simply a set of definitions of basic terms.  Since a Virtual Private
Network (VPN) is defined, in chapter ten, in terms of tunneling, the
material is necessarily restricted to that subsection of the field.  Chapter
eleven does not really tell the reader how to use PGP (the Pretty Good
Privacy encryption program) but only deals with some aspects of

Part three touches on installation and configuration of a number of
products.  Chapter twelve lists a number of firewall related tools, for
UNIX, that are available on the Internet.  "Lists" is definitely the
operative word: so little information is given about the programs that
chapters thirteen through sixteen cover basic installation and components of
TCP Wrappers, TIS (Trusted Information Systems) Firewall Toolkit, SOCKS, and
SQUID.  ipfwadm and ipchains (for Linux) are described in chapter seventeen.
Turning to Windows NT, chapter eighteen recounts the installation of
Microsoft Proxy Server and nineteen does the same with the Elron CommandView
firewall.  Firewall appliances, or standalone units are promoted in chapter
twenty.  Chapter twenty one closes off with the same kind of vague
generalities given in part one.

The most valuable part of this book is part three: even though the material
is very limited, it is, at least, of some practical use.  Most of the other
content is of questionable accuracy or completeness, and therefore
restricted in practicality.  As noted, large sections of the text aren't
even about firewalls.  This book definitely does not compare with the
classics like Cheswick and Bellovin's "Firewalls and Internet Security"
(cf. BKFRINSC.RVW) or Chapman and Zwicky's "Building Internet Firewalls"
(cf. BKBUINFI.RVW): a few suggestions about installation of specific
programs does not make up for a lack of explanation of fundamental concepts,
attacks, and defensive strategies.

copyright Robert M. Slade, 2000   BKPRCFRW.RVW   20000823    or

Please report problems with the web pages to the maintainer