The RISKS Digest
Volume 22 Issue 25

Monday, 23rd September 2002

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Elections In America - Assume Crooks Are In Control
Lynn Landes via Rebecca Mercuri
Re: Florida Primary 2002: Back to the Future
Bob Morrell
Georgia Secretary of State response to Mercuri
Chris Riggall via Donald R. Calabro Jr.
Election idiocy crosses state lines
Mark Richards
Retrospective Karger/Schell paper on Multics Security Evaluation
Steve Summit
Info on RISKS (comp.risks)

Elections In America - Assume Crooks Are In Control, Lynn Landes

<"Rebecca Mercuri" <>>
Wed, 18 Sep 2002 09:09:35 -0400

  [Spin Doctors at it again!  Rebecca.]

Elections In America - Assume Crooks Are In Control
Lynn Landes, 16 Sep 2002

Don't blame the poll workers in Florida. The facts, supported by voting
machine experts and numerous newspaper articles, have made it
clear. Computerized voting machines that were certified by the state of
Florida, caused most of the problems in Florida's primary election. In the
absence of paper ballots, the damage is now irreversible.

This was no accident. It's not new. And Florida is not alone.

"The concept is clear, simple, and it works. Computerized voting gives the
power of selection, without fear of discovery, to whomever controls the
computer," wrote the authors of VoteScam (1992), James & Kenneth Collier
(both now deceased). It's a 'must read' book about how elections have been
electronically and mechanically rigged in the United States for decades, and
with the knowing and sometimes unknowing support of media giants and
government officials, including... ironically... Janet Reno.

Only a few companies dominate the market for computer voting machines.
Alarmingly, under U.S. federal law, no background checks are required on
these companies or their employees. Felons and foreigners can, and do, own
computer voting machine companies. Voting machine companies demand that
clients sign 'proprietary' contracts to protect their trade secrets, which
prohibits a thorough inspection of voting machines by outsiders. And,
unbelievably, it appears that most election officials don't require paper
ballots to back up or audit electronic election results. So far, lawsuits to
allow complete access to inspect voting machines, or to require paper
ballots so that recounts are possible...have failed.

As far as we know, some guy from Russia could be controlling the outcome of
computerized elections in the United States.

In fact, Vikant Corp., a Chicago-area company owned by Alex Kantarovich,
formerly of Minsk, Belorussia (also known as White Russia, formerly
U.S.S.R.), supplies the all-important 'control cards' to Election Systems &
Software (ES&S), the world's largest election management company, writes
reporter Christopher Bollyn.  According to ES&S, they have "handled more
than 40,000 of the world's most important events and elections. ES&S systems
have counted approximately 60% of the U.S. national vote for the past four
presidential elections. In the U.S. 2000 general election, ES&S systems
counted over 100 million ballots."

Getting back to Kantarovich, he would not disclose where the control cards
are made, except they aren't made in America, writes Bollyn. Nor would he
discuss his previous employment. Bollyn says he got some
not-too-thinly-veiled threats from Kantarovich.

Kantarovich sounds more like the Russian mafia, than a legitimate businessman.

But the really big deal is this....all of ES&S's touch screen machines
contain modems, "allowing them to communicate-and be communicated with-while
they are in operation," reports Bollyn. That communication capability
includes satellites.  "Even computers not connected to modems or an
electronic network can still be manipulated offsite, not during the
election, but certainly before or after," says voting systems expert
Dr. Rebecca Mercuri.

ES&S supplied the touch screens for Miami-Dade and Broward counties where
the worst machine failures occurred. But the debacle was nothing new for
ES&S.  Associated Press (AP) reporter Jessica Fargen wrote in June 2000,
"Venezuela's president and the head of the nation's election board accused
ES&S of trying to destabilize the country's electoral process. In the United
States, four states have reported problems with equipment supplied by the
company. Faulty ES&S machines used in Hawaii's 1998 elections forced that
state's first-ever recount."

Sequoia is another voting systems company that sends a cold chill down my
spine.  "Mob ties, bribery, felony convictions, and threats of coercion are
visible in the public record of the election services company," according to
investigative journalist and filmmaker Daniel Hopsicker, and reported in  Hopsicker says that Pasquale "Rocco" Ricci, a 65-year-old
senior executive with Sequoia, and the firm's Louisiana representative,
recently pled guilty to passing out as much as $10 million dollars in bribes
over the course of almost an entire decade." According to American Law
Education Rights & Taxation (ALERT), Ricci is the president of Sequoia
International, which also manufactures casino slot machines.

That's just great. Now, we could possibly have both the Russian mafia and the
U.S. mafia involved in our elections.

In May 2002 Sequoia was bought by De La Rue, based in England. By their own
estimate, De La Rue is "the world's largest commercial security printer and
papermaker, involved in the production of over 150 national currencies and a
wide range of security documents such as travelers checks and vouchers.
Employing almost 7,000 people across 31 countries, (De La Rue) is also a
leading provider of cash handling equipment and software solutions to banks
and retailers worldwide." And they develop technology for secure passports,
identity cards, and driver's licenses.

Okay, add Dr. Evil to the mix and be on the look-out for international money
launderers, drug kingpins, and Nazis.

The Shoup Voting Solutions of Quakertown, Pennsylvania, has a reputation for
rigging elections, wrote the late co-author of VoteScam, Jim
Collier. According to Collier, in 1979, Ransom Shoup II, the president of
the firm, was convicted of conspiracy and obstruction of justice stemming
from an FBI investigation of a vote-fixing scam involving the old-fashioned
lever machines in Philadelphia."

These reports are just the tip of the iceberg. The numerous instances of
U.S. voting systems error and fraud are documented in a 1988 report for the
U.S. Commerce Department entitled, "Accuracy, Integrity, and Security in
Computerized Vote-Tallying" by Roy G. Saltman, a computer consultant for the
National Institute of Standards and Technology's Computer Systems
Laboratory. Many other experts and observers have been warning and
complaining about these problems for decades.

But complaints, warnings, reports, and books like "VoteScam," haven't
deterred government officials like Pinellas County (Florida) Commissioners
Calvin Harris and County Judge Patrick Caddell. They told the St. Petersburg
Times in October 2001 that they were aware that all of the voting machine
companies had "problems in their pasts."  But, Harris said, "We have to look
at this objectively and not get tied up into the emotions of, 'Some guy
might be a crook."

Dear Commissioner Harris...when it comes to elections in America...assume
crooks are in control...and then act accordingly.



Lynn Landes, 217 S. Jessup Street, Philadelphia, PA 19107 / (215) 629-3553 /
(215) 629-1446 (FAX & ISDN)
Lynn Landes is a freelance journalist specializing in environmental issues. She
writes a weekly column which is published on her website and
reports environmental news for DUTV in Philadelphia, PA. Lynn's been a radio
show host and a regular commentator for a BBC radio program.

Re: Florida Primary 2002: Back to the Future (Mercuri, RISKS-22.24)

<"Bob Morrell" <>>
Wed, 11 Sep 2002 13:18:09 -0400

I think the problems with the Florida voting system could be used as a case
study on how not to implement a computerized system. Indeed, any intelligent
analysis of the tasks and resources should have warned designers that
significant problems were ahead. Device use is infrequent. The staff
responsible for the devices (poll watchers) are usually undertrained
volunteers, often elderly retirees with little experience with electronic
devices, much less computers. Overall system management responsibility is
completely decentrallized and has low priority in all locations. The main
user (voters) are completely untrained. The frequency of exceptions to rules
and the need for override capability is high (flying in the face of the
needs for security) and resource allocation (after the initial post 2000
flurry of concern) for changes and needed alterations is extremely low. Some
of the problems listed by Rebecca Mercuri (Risks Digest 22.24) and in the
general media are so incredible, one has to assume that the vendor selected
for the contract won bid by cutting some very basic corners.

I think that Mercuri's call for a moratorium throughout the United States
(and world) on the procurement of electronic voting systems that do not
provide voter-verifiable paper ballots is the starting point for reform. But
beyond that, given the current operational parameters, one has to ask
whether this system, as is, can be computerized to any great degree.

Bob Morrell

Georgia Secretary of State response to Mercuri in RISKS-22.24

<"Donald R. Calabro Jr." <>>
Mon, 16 Sep 2002 20:29:17 -0400

This is a response to Rebecca Mercuri's article "Florida Primary 2002: Back
to the Future," from Chris Riggall, The Press Secretary for Cathy Cox, GA
Secretary of State.

Mr. Calabro:  Thanks for your message, and for passing along the response
from Ms. Mercuri.

I'm not sure what issues Ms. Mercuri refers to as far as the equipment in
Georgia is concerned, but I'll try to take a stab at it. We operated the new
AccuVote TS systems in two counties in the Aug. 20th Primary and Sept. 10th
runoff elections.  The performance of the equipment in these "real world"
settings was quite good, and based on both media accounts and our personal
visits to precincts those days in Hall and Marion Counties, the response of
voters was overwhelmingly positive.

On the Primary Aug. 20th, many of the other 157 counties also had the
equipment displayed in voting precincts with a demonstration ballot.  This
was one component of a broad based voter education campaign — to let voters
see for themselves the new technology they would vote on in November.  Among
these units about five percent reported problems with screen freezes — and
the solution in that circumstance is to turn the unit off, then back on
again.  This was unfortunate, but not unanticipated since several weeks
prior to the primary Diebold and we became aware that this problem could
occur and was the result of a conflict between the unit's firmware and a new
release of Windows CE that serves as the units' operating system (as a PR
guy, I'm on shaky ground trying to explain this to an IT expert!).  Diebold
programmers developed a patch which was applied to the units deployed in
Hall and Marion counties, and we were pleased that not one freeze was
reported among the tens of thousands of votes cast there.  Unfortunately, we
simply did not have the time to apply the patch to the demo units, but that
is now occurring to all units in all counties and the last increment of
shipments from Diebold had this fix loaded before leaving the factory.

Not referring to Ms. Mercuri, of course, but we have had some wild
allegations about equipment failures in Hall and Marion during these two
elections.  One Georgia political party chairman (he'll go unnamed) put out
a news release claiming that voters in one Hall precinct were turned away
because of equipment failures and were issued "vouchers" so they could
return and vote later.  Balderdash.  Never happened.

Regarding Maryland, the coverage that I saw of that election using Diebold
equipment last week came from the Washington Post — not exactly an
uncritical media outlet.  The primary complaints from that seemed to be
focused on Montgomery County, (one of four counties using that equipment --
representing 40 % of that state's voters) where results were relatively slow
to be compiled and reported.  While slow reporting is not ideal, it is not
in the least the kind of critical failure that occurred in two Florida
counties (Dade and Broward) out of the 15 that deployed new DRE systems last

We would completely agree, and media accounts from Florida suggest, that the
critical issue is education of voters and, even more importantly, poll
workers before the election takes place.  We are putting a tremendous focus
on this and providing to the counties an array of training and technical
support — including hands-on classroom training for about 6,000 poll
workers.  I think her suggestion about using college IT students is an
excellent one, and we have been working with county election officials for a
year to help them expand their poll worker recruitment efforts and expand
their traditional pool to include teachers, students and others with some
level of technical knowledge.

Also regarding Maryland, I thought I would include some information Diebold
put out last week — don't mean to burden you with corporate PR stuff, but
there are some quotes from Maryland election officials which I thought you
would find of interest.

Again, thanks for contacting us.  I know that not every single thing on Nov.
5th will take place perfectly (no election has ever met that standard) but
we are very cognizant of the training issues and are working hard to make
sure the counties perform in this critical  area.  Here's the Diebold info:


Voters in Maryland, Georgia and Kansas Show Widespread Acceptance to New

Photo available at

NORTH CANTON, Ohio - Diebold Election Systems, Inc., a wholly owned
subsidiary of Diebold, Incorporated, today announced its touch-screen voting
terminals performed extremely well in four counties within the state of
Maryland.  This election marks the state's first widespread use of the new
AccuVote-TS electronic touch-screen voting system to be deployed statewide
for future elections.

Over 40 percent of the state's 2.7 million registered voters, located in
four counties -Montgomery, Prince George's, Allegheny, and Dorchester - were
the first to use the new electronic voting system in Tuesday's primary

Currently, Diebold has touch-screen voting systems in more than 170 counties
in many states throughout the United States, totaling more than 35,000
voting stations.  Diebold's touch-screen system was not utilized in the
recent Florida primary election.

"The response from voters was absolutely positive," said Margaret Jurgensen,
election director, Montgomery County Board of Elections.  "I spoke to many
voters after they cast their ballots, and they stated that they loved the
ease of voting with the new system.  Many voters commented about the ease of
reading the ballot on the touch screen.  One visually impaired voter was
able to vote for the first time without assistance because of the ballot
magnification feature of the system.  As with any new technology, our
election staff grew more comfortable with the system as the day progressed,
and we see the implementation of the touch screen system continuing to
improve as our staff becomes more familiar with the technology."

"Our first touch screen primary election was a tremendous success," stated
Donna Rahe, Dorchester County election director.  "The voters of Dorchester
County adapted to the touch screen technology extremely well, and the
combined coordination efforts of the county's election staff and Diebold
Election Systems caused a very smooth transition to the new election

Diebold experienced similar success in August when voters in Hall and Marion
counties in the state of Georgia tallied primary election results on the
touch-screen voting system.  Georgia is the first state in the country to
implement a uniform statewide, computerized touch-screen voting system.
Earlier this year, Diebold announced a $54 million agreement with Georgia
officials to overhaul the state's election system technology making the
state a national leader in replacing outdated election equipment.

"Georgia's new uniform electronic voting system received its first test in
the Primary Election and the Diebold units passed with flying colors," said
Georgia Secretary of State Cathy Cox, Georgia's chief elections official.
"Throughout Hall and Marion Counties we heard extremely positive comments
from voters and poll workers about the convenience, security and ease of use
of the new AccuVote-TS units."

Voters in Johnson County, Kansas, were pleased with the touch-screen system
as well.  Approximately 99-percent of the voters who completed a comment
card after using the system gave it a favorable rating.

 "The Johnson County Election Office is proud of its reputation of making
voting convenient and accessible," said Connie Schmidt, Johnson County
Election Commissioner.  "We are pleased to be the first county in the
Midwest to deploy touch-screen voting computers to all polling places

 "Considering the magnitude of these elections, which includes more than
870,000 registered voters within the four Maryland counties, we are very
pleased with the results as every single vote was accurately counted," said
Bob Urosevich, president of Diebold Election Systems, Inc.  "Increased
familiarity with the system will continue to make the process even smoother
in future elections.  We are working with the voters, poll workers and
election officials to ensure that the entire process is intuitive and
streamlined for everyone involved."

Chris Riggall
Press Secretary
Ga. Secretary of State Cathy Cox
110 State Capitol Atlanta, Ga. 30334

Election idiocy crosses state lines

<"Mark Richards" <>>
Thu, 19 Sep 2002 16:31:22 -0400

When America sends its youth to war, at least in the past, it was for
protecting our freedoms.  Now we send our youth to war on the whim of a
weak mind, one incapable of uttering a coherent English sentence,
drawling nonsense rhetoric.  What for?  Oil of course.  But that's not
important right now.

What's really important is that the sort of thing people died for in wars
past, the right to a fair and free election, is in the hands of those with
little or no mind power, so well-proven by the recent Florida mess, defa vu
all over again.  I haven't read a single commentator who stood up and
suggested that the whole thing is downright unpatriotic; a stain on the
graves of those who died.

Election people, even when given lots of money and another chance,
managed to screw up, royally.  We can certainly blame the computers and
the complexity and moan about the lack of testing, redundancy and
safeguards.  But when I read the news from Marlboro, Massachusetts, and
the fact that, for the second year, the election people screwed up
again, it makes me wonder if The Florida Disease, like the West Nile
virus, is spreading northward.

According to the *Metrowest Daily News*, a snafu brought their
vote-tabulation system to its knees and resulted in the necessity to
hand-count the ballots.  I always appreciate it when the press or
officialdom bring out these cute terms like snafu and glitch.  Makes these
blunders seem, well, harmless.

Last year's problem?  The people maintaining the city's computer system
didn't know last year why the clerk's office was on the computer system
after hours and kicked it off while doing its nightly backup work.

This year?  No one seems to know.  This year, however, the systems
administrators didn't try to back up the files being used by the clerk's
office, Bunting said, so she doesn't know what happened.

But don't worry.  Next year (the third time) will be a charm.  We are
comforted to hear,  The problem shouldn't affect a third election, Bunting
said. She said she's in the final stages of moving City Hall offices off of
a 20-year-old computer system and onto a personal computer system.

Massachusetts just suffered one of the worst voter turn outs in record.
Idiot blunders like these do little to raise confidence that one vote

Retrospective Karger/Schell paper on Multics Security Evaluation

<Steve Summit <>>
Thu, 12 Sep 2002 11:00:06 -0400

I'm sure that many, many readers of RISKS are familiar with the story of Ken
Thompson's Turing Award lecture: of the invisible trapdoor in /bin/login
maintained by an equally invisible trapdoor in the compiler, of the oblique
reference to an "unknown Air Force document" whence came the idea for the
trapdoors, of Ken's request for anyone who knew of the actual paper to let
him know.  What I, for one, did not know was that the paper and its authors
had in fact come to light: "Multics Security Evaluation: Vulnerability
Analysis", written by Paul A. Karger and Roger R. Schell and published by
the Air Force in 1974.  And in a new paper which is simultaneously a trip
down memory lane and an up-to-the-moment call to arms, Karger and Schell
have collaborated on a new, retrospective paper which reviews (and
incorporates a resurrected copy of!) the former report, while analyzing
today's computer security landscape in light of the former report's analyses
and recommendations.

The new paper is "Thirty Years Later: Lessons from the Multics Security
Evaluation".  It is to be presented at the Annual Computer Security
Applications Conference (ACSAC, in December, and a
preprint copy is available under <
cyberdig.nsf/papers?SearchView&Query=(multics)>.  Anyone remotely interested
in computer security (which probably includes just about everyone reading
RISKS) should probably not bother reading any more of this note of mine, but
should head directly to the domino Web site to fetch a copy.  It's an
excellent read, and the opportunity to view the problem from the 1974
perspective — via the incorporated copy of the 1974 paper — is priceless.
(Among other things, it makes you realize how little we've learned since.)

Dismayingly, but not surprisingly, the authors do not find that the
operating systems of today have benefited much from their in-depth analyses
of Multics.  Multics with moderate improvements was, they felt, adequately
secure for a closed environment, but would not have been secure in an open
environment (i.e. accessible to untrusted users) without a new security
kernel which was never completed.  Today's popular operating systems, on the
other hand, are barely as secure as the unimproved Multics was, yet of
course they are routinely asked to serve in the very harshest of
environments: the open Internet.

I'm afraid that the paper may be dismissed by some as another antiquarian
pro-Multics rant, and I've also seen suggestions that it's thinly disguised
Microsoft- or Unix-bashing.  Neither criticism is remotely accurate: the
paper's analysis is impartially objective and if anything borders on the
excessively sober.  To point out security flaws in popular operating systems
is not to bash them; those problems are simple facts.

My only criticism of the paper is not a criticism but a lament, similar to
the one I sometimes feel when reading RISKS these days.  Those of us who
like to think we understand security have been discussing these issues for
decades, but the message does not seem to be getting out; systems at all
levels remain variously depressingly or laughably insecure.  The current
activity surrounding security is almost all what Karger and Schell call a
"battle of wits" between attackers and defenders; little is being done to
make commodity systems fundamentally secure.

The obvious concluding question — of a paper like Karger and Schell's, or a
review like this one — is, what should be done?  The authors are not
dogmatic, merely pointing out that the current situation is unstable and
that some truly secure mechanisms (already known to be both theoretically
and practically viable) will have to be deployed lest chaotic disasters
ensue.  The question for the rest of us is, do we agree, and can we persuade
the parties who matter that they've got to take security more seriously?  An
all too likely reaction to the paper is that its insistence on new,
verifiably secure kernels is extreme and unnecessary, that all we've got to
do to win the "battle of wits" is to try a little harder.  Alas, it's not
clear that we're even keeping up with the adolescents who perpetrate
scourges like Nimda and Klez, and it's even more unpleasant to contemplate
how we might fare if faced with "industrial-strength espionage" (as Vernor
Vinge put it in his haunting novel Marooned in Realtime).  Let's hope we can
find the collective wherewithal to do *something*; I'd rather not find
myself marooned in the postapocalyptic husk of a once-great but inadequately
secure cyberspace.

Steve Summit <>

  [The Web version has an explicit caveat relating to the fact that the
  two papers have been submitted to the Classic Papers section of the 18th
  Annual Computer Security Applications Conference (ACSAC), 9-13 Dec 2002,
  Las Vegas NV, and that until then the papers are considered restricted
  in their distribution.  However, discussion of these papers has already
  reached Slashdot.  We include this notice here to encourage discussion
  of their RISKS-relevance, and to encourage your attendance at ACSAC if
  this topic interests you, not to induce you to violate the caveat on the site.  PGN]

Please report problems with the web pages to the maintainer