The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 74

Sunday 11 November 2001


Programming error scrambles election results
Geoff Kuenning
Yet another Internet voting risk
Rebecca Mercuri
Election problems before the election in Virginia
Jeremy Epstein
Possible radiation therapy risk
Herbert Kanner
Risks of belief in identities
Stealing MS Passport's Wallet
Mike Hogsett
Security hole in cash machines
Andrew Brydon
UK: liberties fears over mobile-phone details
Monty Solomon
Dutch police 'bombard' stolen cell phones with SMS
Monty Solomon
Australian computer hacker jailed for two years
Peter Deighan
Even professional organizations forget about certificate expiration
Jeremy Epstein
Children's medical records released on the Web
Conrad Heiney
Glitch in iTunes Deletes Drives
Monty Solomon
Dates in Visual Basic
John Sullivan
Excel and non-decimal dots
magical via Mark Brader
Sweden's public radio reportedly bans SETI from office computers
Ulf Hedlund via Declan McCullagh
Random failures
Andrew Brydon
Re: Another SRI-wide Power Outage
Marcus L. Rowland
Re: Kids' learning game site becomes porn site
Daniel P. B. Smith
Ian Young
Paul Bowers
Re: DeCSS is Speech
Amos Shapir
Re: DoS attack on Mac OS9
William Kucharski
Carl Maniscalco
Info on RISKS (comp.risks)

Programming error scrambles election results

<Geoff Kuenning <>>
Sat, 10 Nov 2001 14:16:27 -0800

A San Bernardino County election last Tuesday was counted incorrectly due to
a programming error.  According to the *Los Angeles Times*, a veteran county
employee claimed to have tested his code, but apparently had not actually
done so.  Some ballots were counted starting at the middle (sounds like an
uninitialized loop variable); others were counted "from the bottom up"
(don't ask me how).  The unnamed employee has been suspended from
programming duties.  A consulting firm has now been brought in to verify the
software for this and all future elections, something that should have been
standard practice all along.

In some races, heavily favored incumbents "lost" to unknowns who hadn't
campaigned at all.  The error was uncovered when officials noticed that the
count for one race showed no votes counted.

Especially telling is the following paragraph in one the Times stories:

  "County officials said the good news is that using a card-counting system
  means that ballots are still around to be recounted.  If the same error
  had occurred with an electronic voting system, there would be no paper
  record, West said."

We've been telling them for years.  But I doubt they'll learn their lesson.

Geoff Kuenning

  [The results of 33 races were seriously in doubt, and all 85,000 ballots
  for 82 races will be recounted.  Also noted by Erann Gat.  PGN]

Yet another Internet voting risk

<Rebecca Mercuri <>>
Tue, 6 Nov 2001 14:50:56 -0500 (EST)

I was working at the polls in Mercer County NJ during the 6 Nov 2001
election and heard from a number of people whose spouses and/or children had
applied for absentee ballots (since they would not be able to vote at the
polls) but did not receive them.  Mercer County is in the midst of the
Anthrax mailing zone, with 3 post offices affected.  Apparently, in some of
the cases, the application for the absentee ballot was not received in time,
and in other cases the absentee ballots were not received by the voters in

How this relates to Internet balloting -- most schemes, including the one
outlined by the California Task Force, would require the validation process
and issuance of the Internet voting password to be issued by postal mail.  A
mail hold-up such as the one we are experiencing in New Jersey could
adversely affect the process.

In short, the best way to validate voters is in person.

Election problems before the election in Virginia

<Jeremy Epstein <>>
Wed, 31 Oct 2001 09:05:50 -0500

Like almost all U.S. states (*), Virginia is undergoing redistricting as a
result of the 2000 census.  As a result, some people got new polling places.
According to
Fairfax County sent electronic updates to the state for inclusion in the
state's database to reflect local redistricting, and the state sent a new
master database back, which lost about 18,000 of the updates.
Unfortunately, Fairfax County used the erroneous data to send out voter
information, and had to send out a second set of instructions.

There's the predictable finger-pointing as to who's at fault for the snafu.

All goes to prove that there are plenty of computer-related risks in
elections, and that's before you even get to the polling place!

(*) There may be some states where there's no redistricting.  For example,
Wyoming only has one representative, so there's no need for statewide
redistricting, although there may be local redistricting.

Possible radiation therapy risk

<Herbert Kanner <>>
Sat, 10 Nov 2001 11:59:32 -0800

As a patient being irradiated by a Varian linear accelerator, it interested
me to be told by a technician that when they are behind schedule it is
usually because of a computer crash.  He said that the accelerator is
controlled by "three computers that talk to each other."  I inquired further
and found out that they are PCs running Windows 2000.  Not exactly
confidence inspiring!

Herbert Kanner <>  650-326-8204

Risks of belief in identities

<"Peter G. Neumann" <>>
Sat, 10 Nov 2001 11:54:17 PST

For those of you who might believe that national ID cards might be a good
idea, check out the December 2001 *Commun.ACM* Inside Risks column by me
and Lauren Weinstein, previewed on my Web site
in anticipation of a U.S. House hearing next Friday on that subject.

It is not just the cards themselves that would entail risks, but even moreso
all of the supporting infrastructures, widespread accessibility to
networking, monitoring, cross-linked databases, data mining, etc., and
particularly the risks of untrustworthy insiders issuing bogus
identification cards -- as happened a few years back on a large scale in the
Virginia state motor vehicle agency (RISKS-11.41).

The latest item on the ease of getting phony or illegal or unchecked
identification papers is found an article by Michelle Malkin (Creators
Syndicate Inc.), which I saw in the *San Francisco Chronicle* on 10 Nov
2001: Abdulla Noman, employed by the U.S. Department of Commerce, issued
bogus visas in Jeddah, Saudi Arabia, in one case in 1998 charging
approximately $3,178.  The article also notes a variety of sleazy schemes
for obtaining visas, in some cases without ever appearing in person and
without any background checks, and in other cases for ``investments'' of a
hundred and fifty thousand dollars.  The article concludes with this
sentence: ``Until our embassy officials stop selling American visas blindly
to every foreign investor waving cash, homeland security is a pipe dream.''
I'm not sure that conclusion is representative of the full nature of the
problem of bogus identification, but the problem is clearly significant.
A driver's license or a passport or a visa or a National ID card is not
really proof of identity or genuineness or anything else.

Stealing MS Passport's Wallet

<Mike Hogsett <>>
Fri, 02 Nov 2001 14:51:52 -0800

  From :,1282,48105,00.html

By cobbling together a handful of browser-based bugs with flaws in
Passport's authentication system, Slemko developed a technique to
steal a person's Microsoft Passport, credit card numbers -- and all,
simply by getting the victim to open a Hotmail message.

Security hole in cash machines

<Andrew Brydon <>>
Fri, 9 Nov 2001 05:53:32 +0000
By BBC News Online technology correspondent Mark Ward

A serious weakness has been discovered in the methods used by banks to
protect the number that lets you get money from a cash machine.  Researchers
from the University of Cambridge have found that the computer systems which
check that these numbers are valid are easy to defeat.  They warn that
unscrupulous insiders could exploit these weaknesses to raid customer
accounts.  The researchers have called on banks to revise their security
arrangements and use more open procedures to protect customers' cash.

... The physical construction of the cryptoprocessors is certified to a high
standard to ensure that the boxes cannot be forced to give up the keys they
use to scramble data.  Any physical tampering with the box makes them
destroy the keys they use.  [However,] security researchers Michael Bond and
Richard Clayton have found serious weaknesses in the software
cryptoprocessors use to handle the encryption keys as they talk to different
programs.  ... using the clues provided by the leaky software, the cracking
time can be reduced to just 24 hours.

Andrew Brydon, Systems & Software Safety Analyst, Lancashire, UK

UK: liberties fears over mobile-phone details

<Monty Solomon <>>
Tue, 30 Oct 2001 21:02:14 -0500

Records which map out users' whereabouts held indefinitely
Stuart Millar and Paul Kelso, *The Guardian*, 27 Oct 2001

One of the fastest growing mobile phone providers is indefinitely storing
information that allows its customers' movements over the last two years to
be mapped to within a few hundred metres.  As the government rushes through
emergency anti-terror legislation that would require vast amounts of
electronic communications data to be retained in the name of national
security, *The Guardian* has established that Virgin Mobile has been storing
the location records of its 1 million customers since the network launched
in November 1999.  Last night, the privacy watchdog, the information
commissioner, told the Guardian that it would be investigating the practice
to establish whether it contravenes regulations governing retention of
communications data.  [...],2763,581763,00.html

Dutch police 'bombard' stolen cell phones with SMS

<Monty Solomon <>>
Tue, 6 Nov 2001 10:03:47 -0500

Dutch Police 'Bombard' Stolen Cell Phones With SMS
By Andrew Rosenbaum, Special to Newsbytes, AMSTERDAM, NETHERLANDS, 05 Nov 2001

The Amsterdam police have been using short messaging system (SMS) missives
to block the use of stolen cell phones, and while the campaign has been
successful, mobile providers are concerned about the cost and bandwidth
strain of the campaign.

About four months ago, the Amsterdam police began cooperating with the
national telecommunications provider, KPN Telekom. When stolen phones are
reported, the police asked KPN to use the phone to locate the telephone
number. Then, every three to five minutes, the police sent SMS messages to
the telephone saying, "Warning, this is a stolen telephone, using it is
against the law -- stealing it is a felony."  ...

Australian computer hacker jailed for two years

<Peter Deighan <>>
Wed, 31 Oct 2001 20:03:45 +1100

This from Australian Broadcasting Corporation web site, 31 Oct 2001

  Vitek Boden, a computer hacker who hacked into the sewage control computer
  and intentionally released caused thousands of litres of raw sewage into
  creeks and parks on the lower Queensland Coast (and the grounds of the
  local Hyatt Regency), has been jailed for two years by a Maroochydore
  District Court jury.  [PGN-ed]

An unexpected Risk?  Wonder what the design decision was: perhaps to save on
call-back costs for control staff?

  [also noted by Derek Ross and George Michaelson.  PGN]

Even professional organizations forget about certificate expiration

<Jeremy Epstein <>>
Mon, 5 Nov 2001 09:23:29 -0500

If you visit (the site used for on-line renewal of
IEEE membership), you'll learn that the certificate expired on Oct 31st
2001.  I reported this on Nov 1st to IEEE, and as of today (Nov 5th), it
hasn't been fixed.

I'm curious how many other people noticed/reported it, or if everyone just
clicked through due to the vast quantity of similar problems on the
Internet.  What good is certificate expiration if it gets ignored by users?

Children's medical records released on the Web

<Conrad Heiney <>>
Wed, 7 Nov 2001 10:45:58 -0800

The University of Montana released confidential psychological records of
children on the World Wide Web, according to the *Los Angeles Times*:

Four hundred pages of documents about at least 62 children were posted,
including in some cases complete name and address information along with
results of psychological testing. According to the times, the data was
available for eight days starting October 29 and included confidential and
detailed summaries of patients' psychiatric conditions in much more detail
than in previous similar accidental releases of information. The University
indicated that errors by students or technical employees were likely to be
at fault.

The obvious Risk of electronic medical records is once again proved in an
especially painful way.

Conrad Heiney

Glitch in iTunes Deletes Drives

<Monty Solomon <>>
Tue, 6 Nov 2001 09:58:07 -0500

Glitch in iTunes Deletes Drives, By Farhad Manjoo, 5 Nov 2001

Some Macintosh users who rushed to download the latest version of iTunes --
Apple's popular digital-music player --were singing a song of woe on
Friday. A bug in the installation procedure caused the application to
completely delete their computers' hard drives.  Apple issued an alert and a
fixed version of iTunes 2 on Saturday morning, and the company urged people
to remain calm.  [...]

According to Mac experts who examined the code of the buggy iTunes
installer, the problem arose from a very tiny programming mistake -- a
forgotten quote mark.

Instead of typing the line "$2Applications/", a bleary-eyed
coder had instead typed the disastrous $2Applications/,
according to a message on MacSlash.  [...],1282,48149,00.html

Dates in Visual Basic

<John Sullivan <>>
Fri, 9 Nov 2001 16:56:45 +0000

I was just writing a test-harness in Visual Basic (VB6 SP5) when I noticed
the following annoying and potentially downright dangerous behaviour.

Part of the code generated a series of dates, and I'd entered the start date
as a literal date of the form #2001-11-08#. This worked fine as I expected
and as it wasn't at all important at this stage so I didn't look twice at
what I'd just typed.

When I came back to it today, I noticed it read #11/8/2001#. Now, I never
code dates in non-ISO format if possible, and being in the UK with my locale
set to UK never, ever, use US mm/dd format unless I know it's the only
format a broken program accepts. Retyping it showed that the date was
changed in front of my eyes:

  #2001-11-08# becomes #11/8/2001#  (2001-11-08)
  #11/8/2001#  becomes #11/8/2001#  (2001-11-08)
  #8/11/2001#  becomes #8/11/2001#  (2001-08-11)
  #15/11/2001# becomes #11/15/2001# (2001-11-15)

It changes as soon as the cursor left the line. So you type it, check it,
find it correct, go off somewhere else, blam!

The first has reduced the comprehensibility of the code. The second and
third give no feedback that they're not conforming to the current locale.
The last two show that VB is not even being consistent in its parsing.

The Risks:

Dumb programs thinking they're smart enough to change a programmer's code
can lead to unpredictable behaviour. If you assume that what you type is
what gets saved then you may not even notice, and errors in strings of
numbers are immediately less obvious than structural or logical errors.

If I (or a colleague) came back to the first example in a few months time,
will we know whether it means 8th Nov or 11th Aug? It would be natural to
assume it's using the current locale, but in this case it isn't. What I
actually typed was unambiguous.

I use VB, and dates in VB, so rarely that I may not even remember this
behaviour myself a year or two down the line. Thankfully I don't have to use
this noddy little toy for writing Real Programs in.

Excel and non-decimal dots

< (Mark Brader)>
Wed, 7 Nov 2001 13:43:25 -0500 (EST)

* From:
* Newsgroups: alt.usage.english
* Subject: Re: Telephone Area Code
* Message-ID: <>
* Date: Wed, 07 Nov 2001 17:07:08 GMT

On Wed, 07 Nov 2001 07:54:15 GMT, in alt.usage.english, David
Hecht <> created

> The US convention (AAA)BBB-CCCC is not just evolving into AAA-BBB-CCCC;
> now I'm seeing more and more of the "international" style: AAA.BBB.CCCC
> .  This appears in some "chic" guidebooks.

I tried using that format, until I pulled a text file into Excel and it
changed all the phone numbers into "real numbers" and deleted terminal
zeros.  Excel also has this annoying habit with IP addresses, changing to  I can't find a way, in the *import* function, to
define these numbers as "text" so that Excel will leave them alone upon
import.  Sigh.

Sweden's public radio reportedly bans SETI from office computers

<Declan McCullagh <>>
Thu, 08 Nov 2001 15:22:14 -0500

SETI homepage:

Date: Thu, 08 Nov 2001 21:10:05 +0100
From: Ulf Hedlund <>
Subject: Swedish national radio bans SETI software

Conspiracy theory has reached the state owned public service radio in
Sweden, "Sveriges Radio" ( They have banned all use of the SETI
software and says that three of the technicians from the IT department are
going to be relocated. According to the head of human resources, Per
Thorsell, this is due to the fact that they don't know if the software is
actually performing search for extraterrestrial life. "The software could be
used by some service for other purposes, e.g., calculation of missile
ballistics", he says. [in Swedish;
  translation tinkered slightly after consulting Ulf Lindqvist, who
  suggests they should be equally paranoid about other black-box
  software they might be running.  PGN]

To subscribe to Politech:
This message is archived at

Random failures (Re: Bank Canada, Sokskiewicz, RISKS-21.73)

<Andrew Brydon <>>
Tue, 6 Nov 2001 22:31:18 +0000

>I think that sometimes we are better off accepting such "random" occurrences

Rather we should be analysing our systems for random failures and
interactions due to these random occurrences, designing out or mitigating to
limit the effects of such failures. To do any less may be unprofessional,
and in many cases illegal.

>Sometimes I feel that RISKS readers expect to live in a perfect world.

I think we should expect all reasonable care to be taken over developing and
implementing the systems which we use, as for any other consumer product or
service. The difference with, say a toaster, is that there are far fewer
interactions and controls to consider, but we still expect it to turn bread
to toast without error.

Andrew Brydon, Systems & Software Safety Analyst, Lancashire, UK

Re: Another SRI-wide Power Outage

<"Marcus L. Rowland" <>>
Tue, 30 Oct 2001 23:02:37 +0000

A couple of weeks ago I spent three hours trying to find out why one of our
laboratories (see various previous comp.risks digests) was tripping out its
circuit breakers again, despite the system having been overhauled.

We eventually realised that someone had put a box of equipment down on top
of a stool that wobbled slightly, so that it pressed against the emergency
cut-out button whenever someone brushed past it...

Marcus L. Rowland

  [VERY OLD problem.  In the Multics days in the later 1960s at Bell Labs,
  sitting down in a particular chair in the computer room would often
  crash the system, due to the under-floor wiring.  PGN]

Re: Kids' learning game site becomes porn site (RISKS-21.73)

<"Daniel P. B. Smith" <>>
Mon, 05 Nov 2001 20:11:49 -0500

In the interest of becoming a well-informed netizen, I took a look at and  Imagine my
disappointment^h^h^h^h^h^h^h^h^h^h^h^h^h^h^h relief, to find that as of
11/5/2001 these sites appear to be ... an online interactive children's
game produced as a public service by Ernst and Young.

Daniel P. B. Smith <>

  [Quite a few RISKS readers noted this.  So, either the WashPost and NYT
  (which ran its own story) got it wrong, or E&Y quickly repaired its image
  by re-acquiring the .org domain -- presumably at an indecent markup.  PGN]

Re: Kids' learning game site becomes porn site (RISKS-21.73)

<Ian Young <>>
Tue, 6 Nov 2001 09:58:17 -0000

You won't be surprised to hear that Ernst & Young (no relation) are not the
only people to have been affected by this scheme.  I got some moderately
irate E-mail recently from users of a small site I run because one of the
sites I had linked to had apparently converted to a porn site in the way the
*Post* describes.

However, in this case:

* the registration was by a different company: someone out of Tbilisi,
Georgia instead of Yerevan, Armenia.

* The new site contained a single page containing an _advertisement_ for
"Euro Teen Sluts", plus half a dozen post-close pop-ups for similar sites,
but also offered to sell you the domain name in question!

Obviously, buying up random dead domains is a cheap way of getting
advertising space, as long as you don't care who sees the adverts in

Risk 1: links are sometimes seen as endorsements.  That's a problem for me,
but it is presumably also a problem for people like Google, whose rating
system depends on seeing that particular sites are linked _to_ by other
sites.  I wonder how they cope with this?  I can see that they do, because
the site I linked to still has a lot of links to it, but no longer appears
in a Google search with any of the obvious keywords...

Risk 2: automatic link checkers will tell you there is something there, but
they won't tell you what it is.  You actually have to visit your links once
in a while to check they haven't turned into something else.

Re: Kids' learning game site becomes porn site (RISKS-21.73)

<"Paul Bowers" <>>
Mon, 5 Nov 2001 21:11:49 -0500

On a similar theme, one of my visitors pointed out to me that a link from my
site was now resolving to some cyber-babe page.  Apparently,
recently changed owners.

The articles I had linked from the site were good technical pages.

Re: DeCSS is Speech (Tyre, RISKS-21.73)

<Amos Shapir <>>
Tue, 06 Nov 2001 14:37:22 +0200

May I point out that the original purpose of ALGOL -- the granddaddy of all
structured programming languages -- was to create a common set of notations
which would enable people to converse about algorithms.  ALGOL code was not
meant to be compiled into executable object code, and its first
specification (of 1960, IIRC) had no defined means for I/O.

Amos Shapir

Re: DoS attack on Mac OS9 (Gat, RISKS-21.73)

<"William Kucharski" <>>
Sun, 11 Nov 2001 07:31:51 -0700

The risk in MacOS 9 is not surprising, and not really a RISK.  Not unless
you're expecting the Multiple Users feature of MacOS 9 to provide anything
more than rudimentary security.

Sure, you can change passwords if you have physical access to the machine.
You can also boot any Mac with a MacOS 9 CD and completely circumvent all

The biggest RISK here is believing a feature meant largely to provide
different environments for different family members or to prevent clueless
users from damaging the system (i.e. dragging crucial system control panels or
extensions to the trash) provides any TRUE degree of security...

William Kucharski <>

Re: DoS attack on Mac OS9 (Gat, RISKS-21.73)

<Carl Maniscalco <>>
Sun, 11 Nov 2001 16:51:33 -0800

The Multiple Users control panel in OS 9 *is* a pretty ugly hack but the
security risk isn't quite as bad as Mr. Gat makes it out to be. To effect a
password change that would "render that machine useless," the malicious user
would have to gain access to a Mac where someone has already logged on to
the admin account. In my opinion, anyone who leaves a computer unattended in
that state in an insecure environment probably deserves whatever he gets.

Carl Maniscalco, Deus Ex Macintosh, Mac Consultants, San Diego, CA

Please report problems with the web pages to the maintainer