The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 44

Monday 4 June 2001

Contents

House Science Committee hearings on voting systems
Douglas W. Jones
Swimming-pool changing cubicles
Alan Barclay
Insurer considers Microsoft NT high-risk
Oleg Broytmann
UK Government Gateway blocks non-MS browsers
Chatan Mistry
The risks of clueless marketing
Greg Searle
Computer-generated mail -- too easy to fake?
David G. Bell
Forgery attempt -- risk of identity theft
David Lesher
Sex-offender database risks
RISKS
Crash leaves disabled riders stranded
Jeremy Epstein
BT upgrade: The best laid plans...
John Sullivan
Re: Software Engineering, Dijkstra, and Hippocrates
Scot Wilcoxon
Richard I Cook
Re: EU considers retaining *all* telecom traffic
Michael Weiner
Re: NZ Electoral Web Site
Richard A. O'Keefe
Re: Another Backhoe Reminder
Arthur Marsh
Re: WeatherBug and Gator
David Crooke
Re: 37% of programs used in business are pirated
Jurek Kirakowski
Merlyn Kline
More SMS SPAM
Simon Waters
Re: Lost train
Mark Brader
Info on RISKS (comp.risks)

House Science Committee hearings on voting systems

<"Douglas W. Jones" <jones@cs.uiowa.edu>>
Tue, 29 May 2001 15:05:18 -0500 (CDT)

On May 22, 2001, the House Committee on Science held a hearing entitled
"Improving Voting Technology: The Role of Standards", with Stephen
Ansolabehere from MIT, Rebecca Mercuri from Bryn Mawr, Roy Saltman [retired
from NIST], and myself -- Douglas Jones from the U of Iowa.

The House Science Committee web site has an archive of the written
testimony submitted in advance of all committee hearings.  For this
hearing, they also have a real-audio webcast-transcript in their
archive.  See:

  http://www.house.gov/science/full/fchearings.htm

It's sorted in reverse chronological order; scroll down to May 22, 2001.

In sum, I feel we presented a fairly strong united front on the key problems
we face when using computers to count votes -- we agreed that current
technology is poorly regulated, that many current voting systems have major
defects, and that stronger standards must be put in place before any
large-scale rush to replace "outmoded" voting systems with new technology.

We did disagree about whether a new standard would have an effect on the
next presidential election.  I was, I think, the most pessimistic in this
regard.  It may be that our answers depended on our interpretation of the
question -- I assumed that it would take a year, at minimum, to put a new
standard in place, and that it would take vendors a year, at minimum, to
offer new machines based on this standard.  I also assumed that old machines
would be grandfathered in, so the new standard would not have a significant
impact on real polling places for several more years as old machines were
slowly phased out.

Doug Jones <jones@cs.uiowa.edu>


Swimming-pool changing cubicles

<Alan Barclay <gorilla@elaine.furryape.com>>
Mon, 28 May 2001 14:55:49 -0400

*The Register* reports on French swimming pool "Centre Sportif Richard Bozon"
at http://www.theregister.co.uk/content/28/19236.html. It seems that
instead of a simple and traditional bolt on the doors to the changing
cubicles, the centre has installed a computerized array of motion sensors,
which detect if the cubicle is in use and displays a red or green light
to indicate occupation. There is nothing to prevent someone from ignoring
the lights and opening an occupied cubicle.

The obvious flaws are pointed out by *The Register*, including the problem
for colour-blind people, and the sheer stupidity of putting in a high-tech
solution to a low-tech problem, but they miss other problems, such as false
positives and false negatives and the requirement to train the users of the
facility of the meaning of the lights.

  [Boz-on and Boz-off?  Beau-saun(a)?  Hose-sauna?
  But watch out for swimsuits with false positives.  PGN]


Insurer considers Microsoft NT high-risk

<Oleg Broytmann <phd@phd.fep.ru>>
Tue, 29 May 2001 12:20:53 +0400 (MSD)

[...] An insurance company has started to charge 5-15% more if you use
Windows NT as a base for Internet services:

  "We saw that our NT-based clients were having more downtime" due to
  hacking, says John Wurzler, founder and CEO of the Michigan company, which
  has been selling hacker insurance since 1998.  Wurzler said the decision
  to charge higher premiums was not mandated by the syndicates affiliated
  with Lloyd's of London that underwrite the insurance he sells.  Instead,
  the move was based on findings from 400 security assessments that his firm
  has done on small and midsize businesses over the past three years.
  Wurzler found that system administrators working on open-source systems
  tend to be better trained and stay with their employers longer than those
  at firms using Windows software, where turnover can exceed 33 percent per
  year.  http://www.zdnet.com/intweek/stories/news/0,4164,2766045,00.html

Oleg Broytmann  http://phd.pp.ru/  phd@phd.pp.ru


UK Government Gateway blocks non-MS browsers

<"Chatan Mistry" <Chatan@iname.com>>
Mon, 28 May 2001 20:57:15 +0100

An article appeared on *The Register* on 28 May 2001.  The original article
can be found at http://www.theregister.co.uk/content/4/19239.html

In short, the article briefly described an investigation by the UK Linuxuser
magazine.  It has found that the certificates being used on parts of
gateway.gov.uk, the UK governments attempt at making all services available
online by 2005, are specific to Windows and Internet Explorer 5.01.  These
signatures are currently provided by Equifax and ChamberSign.  The article
also goes to say that:

  The Government Gateway doesn't exactly have much up on it at the moment,
  but the likelihood is that although simple registration by user name and
  password will give you access to some information services, all of the
  transactional ones will require use of certificates.

  The one service available for individuals, electronic filing of tax
  returns, certainly does, so effectively only Windows/IE users can
  currently use it. UK.gov seems to have swallowed the Microsoft pitch
  whole; according to Linuxuser, the explanation given is that "other
  browsers do not give proper support for SSL and digital certificates."

I for one am very concerned.  With Microsoft-based servers apparently being
hacked almost at will, I can see a future when it will no longer just be the
Internet where your identity can be used.  And just for variety, what about
if you are one of these people (aleit in the minority) that uses a non MS
operating system or x86 hardware (such as a Mac)?

Of course, until the original Linuxuser article appears (the issue
containing this article goes on sale next week), not of this can be
collaborated.


The risks of clueless marketing

<"Greg Searle" <gsearle@s1.com>>
Tue, 29 May 2001 11:22:58 -0400

Has anyone else noticed the cluelessness of Microsoft's marketing when
assigning a name to their new line of products?  Do you think any of these
marketing people are familiar with the popular "emoticons", or "smileys"?
Has anybody else realized that "XP" is a person wincing and sticking their
tongue out?  Will the new MS products leave a bad taste in your mouth?  :-b

  [:-b is itself quite nice.  A tongue-tied emoticon? PGN]


Computer-generated mail -- too easy to fake?

<dbell@zhochaka.demon.co.uk (David G. Bell)>
Sat, 02 Jun 2001 19:32:56 GMT +0000

A front-page story in *The Yorkshire Post* of 2 Jun 2001 reported that fake
letters had been sent out in Bradford, requesting that people send
_original_ birth certificates to enable the local council to recreate
records lost through a computer error.

Original birth certificates are usable for identity theft.

The new twist comes from how the letters were created:

  A council spokesman said they had no reason to believe council employees
  had stolen headed paper as the headings on most council correspondence
  were printed of on each individual letter by computer, and so could be
  copied by anyone who has received a letter by e-mail.

I'm not sure just what the computer-printed headings are, whether it
includes some expensively-designed logo, and what details are actually
included in e-mails.  Obviously, it's that little bit easier to fake a
letter if the genuine article is entirely computer-printed, rather than
using old-fashioned pre-printed paper.  Even with that barrier, people are
becoming used to entirely computer-printed letters, headings and all.

I just hope I don't get an e-mail from Bradford council, if they have their
logo attached as a graphics file.

[Original Yorkshire Post story by Amy Binns <amy.binns@ypn.co.uk>]

David G. Bell -- Farmer, SF Fan, Filker, and Punslinger.


Forgery Attempt -- risk of identity theft

<David Lesher <wb8foz@nrk.com>>
Sat, 2 Jun 2001 11:11:06 -0400 (EDT)

of a different sort....

<http://washingtonpost.com/ac2/wp-dyn/A10385-2001Jun1?language=printer>

  ... The package arrived bearing the official stamp of the Prince George's
  County clerk of the Circuit Court, the signature of the chief judge and a
  court order demanding the immediate release from prison of a triple
  murderer.

{details re: attempt to free prisoner with forged documents}

  [Prince George's Chief Administrative Judge William D.] Missouri said he
  believes the signatures were photocopied from real court documents and
  pasted onto the fake release order. He suspects that someone inside the
  courthouse may have been involved.  ...

This is not the first time copied signatures have been used.  It won't be
the last. But one wonders what the big push at retailers toward digitized
credit-card slips will bring.


Sex-offender database risks

<RISKS List Owner <risko@csl.sri.com>>
Tue, 29 May 2001 16:02:19 -0500

One of our readers was searching through the Illinois Registered Sex Offender
database at
  http://samnet.isp.state.il.us/ispso2/sex_offenders/index.asp
and ferreted out a wide variety of database errors, some of which could have
really nasty consequences.  There are lots of incorrect street addresses,
ZIP codes, mispelingz, inconsistencies, people living in different
apartments shown with the same address, etc.  The Chicago Police Department
Sex Offender Database is not consistent with the Illinois State Police Sex
Offender Information.  To discourage vigilantes, the former database omits
digits of addresses that are given in full in the latter, but the former has
photos that are omitted by the latter.  One wonders about how many entries
point to the wrong person.  Overall, the risks are many.


Crash leaves disabled riders stranded

<Jeremy Epstein <jepstein@acm.org>>
Sat, 02 Jun 2001 21:49:06 -0400

MetroAccess is a Washington DC-area public transit system for the disabled
(door-to-door service).  Users call up at least 24 hours in advance to make
a point-to-point reservation to get to/from work, shopping, medical care,
etc.  According to a 1 Jun 2001 article in *The Washington Post*
(http://www.washingtonpost.com/wp-dyn/articles/A3679-2001May31.html), Metro
Access lost all reservations for services due to crashes by both the primary
and secondary systems.  Those with regularly scheduled service (e.g., every
day or every week) were recovered from a backup system, but anyone with a
one-time reservation was lost (about 1000 of the 2800 entries in the
database).

The contractor that runs the system "has no idea who had placed the
remaining 1000 reservations and made public pleas for anyone with a Metro
Access reservation to call and confirm it."  Which could, of course, lead
to more failures as the system gets overloaded with calls.

The article claims that it was a hardware, not a software problem.  No
information was provided on how often backups are done, or how both the
primary and secondary systems failed at once (seems quite unlikely if it
truly is a hardware problem, unless both were hit by lightening or
something like that).


BT upgrade: The best laid plans ...

<John Sullivan <john@kanargh.force9.co.uk>>
Fri, 1 Jun 2001 19:02:50 +0100

British Telecom currently offer two fixed-cost internet access plans for
ISPs to resell. One ISP, PlusNet, has supported the old scheme (SurfTime)
since last year. However they wanted to move over completely to the new
scheme (FRIACO) which is simpler and cheaper. This has been in the pipeline
for months. Amongst other differences SurfTime requires you to buy two
separate components, one from the ISP and one from BT.

A couple of days ago an email was sent announcing today as the date of the
big change. It recommended cancelling the BT component of SurfTime last
night (the 31st May), as they would no longer be supporting at their end as
of now.

Early this morning user accounts were migrated across, the FRIACO access
numbers were enabled and the old SurfTime numbers were disabled. The problem
is that both services require your local exchange to be upgraded and
configured, by BT, just so. And many exchanges haven't been, resulting in
many unhappy customers unable to dial in.

At 5pm (about 12 hours after the migration) PlusNet announced that the
SurfTime access numbers had been re-enabled until such time as BT fixed
their end of things. Unfortunately some people had already followed the
instructions in their previous message to cancel their SurfTime subscription
at the BT end last night...

One message from PlusNet reads:

> We are obviously very disappointed about this as we have spent months on
> meticulous planning, but we have been let down somewhat by third parties.

Of course, with so much planning it was *bound* to work first time. No need
to keep the old service available until the new was *proven* to work, oh no.


Re: Software Engineering, Dijkstra, and Hippocrates (M.Cook, R-21.42)

<Scot Wilcoxon <scot@wilcoxon.org>>
Sun, 27 May 2001 10:55:37 -0500

> The March 2001 issue of the *Communications of the ACM* contains an
> article by Edsger Dijkstra called "The End of Computing Science?"
...
> As many of the RISKS entries have shown, application and other developers
> have certainly made a mess of things at times, often of Laurel and Hardy
> proportions ("That's another fine mess you've got us into."), and worse.

The title refers to "Computing Science".  Most developers have never
taken a Computer Science course, much less know the underlying concepts
or apply them.  I suspect many do not know who Dijkstra or the ACM are.


Re: Software Engineering, Dijkstra, Hippocrates (M.Cook, RISKS-21.42)

<"Richard I Cook" <ri-cook@uchicago.edu>>
Tue, 29 May 2001 12:03:46 -0500

Michael Cook [no relation] wrote in RISKS-21.42

> If/when Software Engineering becomes a fully licensed profession, perhaps
> part of the code of ethics should be similar to the intent of part of the
> Hippocratic Oath, "First, do no harm".  This is a paraphrase of the
> statement "The health and life of my patient will be my first
> consideration" which is from the World Medical Association's "Declaration
> of Geneva" of 1948.

Speaking from experience as a member of the profession for which that oath
was originally developed, I would suggest that Michael's laudable objectives
might better be pursued via some other route.

Richard I. Cook, MD


Re: EU considers retaining *all* telecom traffic (Weingart, R-21.42)

<"Michael Weiner" <michael_weiner@gmx.net>>
Mon, 28 May 2001 08:17:35 +0200

Dave Weingart reported on EU plans to retain all telecoms traffic.
Apparently, the EU is not that ambitious, but the issue is critical enough.
Current EC telecommunications law protects the privacy of telephone users by
obliging the operator to delete or anonymize traffic data as soon as there
is no more pressing need to retain it (e.g., as the bill for the services
have been paid, etc. - see article 6 of
  http://europa.eu.int/eur-lex/en/lif/dat/1997/en_397L0066.html).

Law enforcement agencies find this cumbersome as it does not allow them to
obtain information on past telephone usage (for the period before they
placed a tap). Statewatch, a British NGO active in the field of privacy
protection, has published a leaked EU Council document on its website that
urges the Commission "to review [...] the provisions that oblige operators
to erase traffic data or to make them anonymous" in order to "ensure that
the purpose limitations regarding the personal data do not come into
conflict with the law enforcement authorities' needs of data for crime
investigation purposes":
  http://www.statewatch.org/news/2001/may/enfo7277.htm

If this initiative is acted upon, it will significantly reduce the privacy
protection of telephone users in the European Union. Network operators will
have to foot the bill for providing the necessary storage space and for
carrying out the database searches that will no doubt be requested by law
enforcement agencies.


Re: NZ Electoral Web Site

<"Dr Richard A. O'Keefe" <ok@atlas.otago.ac.nz>>
Fri, 25 May 2001 14:39:53 +1200

I've had some responses to my note in RISKS-21.41.  Others have confirmed
that they find the pages unreadable.  The site maintainer has also been in
contact, and in fairness I think I should make these points.

(1) NZ law requires a signature on any application to
    change electoral roll records; what the Web site does
    is let you fill out a form electronically which you can
    then fill in, sign, and post, or you can ask them to
    print the completed form and post it to you.
(2) This means that the newspaper report that you can
    enroll and change your record ONLINE is at best a
    half-truth.  RISK of believing the newspapers?
(3) The maintainer did not respond with an angry defence
    but has sought constructive advice about improving the
    site.  I sent some advice, and was given a thank-you.
(4) It's more secure than I said.  Apparently, had I been
    able to get further, I would have been asked for my
    house number as well.  (No comment on my part required.)
(5) I was assured that the site had been "extensively
    tested":  on Windows, using Netscape 4 and IE 4.  They
    don't apparently have a Mac to test things on.
(6) The fact that I can't get through *may* have something
    to do with the support (or lack of it) for SSL at this
    end.  (iCab indicates this with "Network error #-15",
    some browsers are better, some are even worse.)

There remains the Risk of a NZ Government project being placed in a position
where "extensive testing" has to mean Windows-only.


Re: Another Backhoe Reminder (Felsche, RISKS-21.41)

<Arthur Marsh <arthur.marsh@adelaide.edu.au>>
Thu, 24 May 2001 16:06:19 +0930

I doubted that there were "thousands" of fibres to reconnect, and looked
for other accounts of the incident. ZDNet Australia had an account at:
http://www.zdnet.com.au/news/dailynews/story/0,2000013063,20222584-1,00.htm
that included:

  Telstra crews had to replace 1.5 kilometres of cable and reconnect
  every individual fibre optic wire within it - about 150 strands in total.

Arthur Marsh, Network Support Officer, Information Technology Services
The University of Adelaide SA 5005 Australia  Ph: +61 8 8303 6109

  [PGN notes: This was also discussed by Kent Borg, who added a
  Lesson: Just because someone is an official spokesman doesn't mean he
  actually knows what he is talking about.  Also, just because something
  is written with quote marks doesn't mean the quote is accurate.
  Someone clearly confused the image of a trunk of a zillion copper
  pairs with fiber optic cables and came up with a mule that doesn't
  exist; and no Australian Broadcasting Corporation editor caught it.]


Re: WeatherBug and Gator (Garrison, RISKS-21.42)

<David Crooke <dave@convio.com>>
Sat, 26 May 2001 00:37:27 -0500

Your correspondent seems surprised that the accompanying Gator product
offers to store passwords, but this is a feature of more than one modern
browser (Mozilla and Internet Explorer spring to mind) and of almost every
one of Microsoft's own products, including (laughably but sadly) their PPTP
VPN client.


Re: 37% of programs used in business are pirated (RISKS-21.42)

<jk <jzk@ucc.ie>>
Mon, 28 May 2001 13:49:58 +0100

This study clearly has shock value as it combines seemingly objective data
and emotive language.  I have noted a number of misquotations of its
findings in various news announcements and tried to find out how this figure
of 37% is really computed.

But first of all, as to credibility of source: does the Business Software
Alliance (BSA) have any vested interest in artificially inflating or
deflating this figure? The International Planning and Research (IPR)
organisation which seems to have advised the BSA says that 'BSA educates
computer users on software copyrights; advocates public policy that fosters
innovation and expands trade opportunities; and fights software piracy.'
The BSA report at http://www.bsa.org/resources/2001-05-21.55.pdf concludes
that 'To ensure a high level of confidence, member companies of BSA reviewed
the results of the study and their input was used to validate and refine the
study assumptions'.

This sounds like an inherently highly risky procedure for obtaining the
truth.  But to press on...

The methodology, from what I can understand of it, compares the number of
computers sold to each country with the amount of software sold to that
country (lots of various 'adjustments' for replacements, maturity etc the
bases of which are not explained).  The number of computers sold is then
multiplied by a number (again, all highly convoluted, but no hard details as
to where these magic numbers come from) to give a figure for the demand for
software given the hardware sales.  The difference between this demand
figure and the amount of software actually sold is the amount of 'piracy'.
This is in fact a gross simplification of their actual methodology but seems
to be the essence of it.  It relies a lot on magic numbers.

In comparison to the coyness of the description of how all the magic numbers
are computed, the final data, *is* displayed in glorious detail per country,
per year, dollar loss, etc.

If the way the magic numbers were arrived at is fair and above board, then
it would make sense to publish details of the process in order to boost the
confidence of the report and to show that not only does it make an emotive
point, but that it has good grounds for doing so. Otherwise, given the
source, one may be tempted to dismiss it on the grounds of possible
self-interest by the authors (if they wish to fight software piracy, they
could hardly publish a report which says that software piracy doesn't exist,
could they?)

I spoke last summer to a technical manager of a medium-sized company in one
of the so-called 'black spots' of software piracy fingered in the report.
He told me that when they up-sized, the company had moved from MS Office to
Star Office, because the latter was being given away for free.  He also told
me of how the company sourced shareware and freeware because he didn't trust
'black-market stuff'. Shareware is usually an order of magnitude cheaper
than commercial stuff, and you often get to keep in touch with the folk that
created it as well. He and I have remained in contact and swapped some
interesting resources, so it isn't all talk.

His approach sounded eminently rational to me: if you're poor, buy the
hardware and find free- and share-ware on the web.  All of a sudden, the
conclusions of BSA report sounded a lot more risky to me.

Jurek Kirakowski, HFRG, Ireland  http://hfrg.ucc.ie/   http://hfrg.ucc.ie/jk/


Re: 37% of programs used in business are pirated (RISKS-21.42)

<"Merlyn Kline" <merlyn@zynet.net>>
Tue, 29 May 2001 16:25:51 +0100

> tops the list in terms of dollars (an estimated $4 billion) lost to piracy.

This sounds like one of those inflammatory and inflationary statements the
RIAA has become fond of recently. To my mind there is a big difference
between this statement (which describes something that I can't imagine a
means of estimating) and a statement like "tops the list in terms of dollars
(an estimated $4 billion) retail value of pirated software". Many users
would not be using the software they are using if they were forced to buy it
rather than pirate it - they would be using a cheaper alternative.


More SMS SPAM (Re: Moskowitz, RISKS-21.42)

<Simon Waters <Simon@wretched.demon.co.uk>>
Sat, 26 May 2001 19:58:02 +0100

Robert Moskowitz's Risks article 'Great DoS attack for cell phones' prompted
me to write.

This week I've received two identical SMS messages telling me to urgently
call a number, normal enough for a busy IT consultant perhaps, but the
number was for a premium rate line.

Such abuses are not specifically SMS related (A favourite UK scam was to
make very cheap goods and holiday offers via junk fax, where to accept it
the order must be sent to a premium rate fax number - no doubt some Office
employees figured they would turn their employers phone bill into their
holiday money and ordered despite knowing the number was premium rate),
although the ever changing number schemes inflicted on the average Brit by
our telecoms regulator is making it harder and harder to sort out the wheat
from the chaff, and the sheer number of mobile phones will make these scams
more profitable and presumably therefore more common.

At least I may have found a use for the premium rate number blocking service
offered by many mobile phone operators, it will let people act on their SMS
messages without be lumbered with an unexpectedly large bill.

Perhaps someone would care to enlighten me as to what urgent messages I
declined to pay for?

Simon Waters  www.eighth-layer.com  Tel: +44(0)1395 232769  ICQ: 116952768
Moderated discussion of teleworking issues at news:uk.business.telework


Re: Lost train (Weber-Wulff, RISKS-21.42)

<msb@vex.net (Mark Brader)>
Wed, 30 May 2001 11:45:01 -0400 (EDT)

I don't think the Swiss Federal Railways (Schweizerische Bundesbahnen,
SBB, http://www.sbb.ch) could have been involved here: the lines from
Chur to Davos are part of the Rhaetian Railway system (Rha"tische Bahn,
RhB, http://www.rhb.ch).

Mark Brader, Toronto, msb@vex.net

  [Correction noted in RISKS-21.43.  But could be a joint arrangement? PGN]

Please report problems with the web pages to the maintainer

Top