The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 26

Weds 25 September 2002

Contents

Press Releases MIT vs Mercuri
Rebecca Mercuri
Cost cutting endangers hospital power
Rich Brown
South Wales train leaves without driver
Fuzzy Gorilla
Greek government doesn't quite ban electronic games
Bruce Anderson
Yet another intrusive Web site
Michael Ortega-Binderberger
Air passenger jailed for using mobile
George Roussos
Re: Microsoft says Win 2000 hacking outbreak subsides
Mike Patnode
Re: The pinnacle of chutzpah in spam filtering
Peter Corlett
Re: Retrospective Karger/Schell paper on Multics Security Evaluation
Paul Karger
REVIEW: "Pearl Harbor Dot Com", Winn Schwartau
Rob Slade
Info on RISKS (comp.risks)

Press Releases MIT vs Mercuri

<"Rebecca Mercuri" <notable@mindspring.com>>
Tue, 24 Sep 2002 13:44:34 -0400

I was forwarded the following press release from MIT/CalTech from a source
at IEEE Spectrum and am seriously concerned about the conclusions they have
drawn regarding the recent Florida primary election.  The press release is
here in its entirety, followed by my analysis/rebuttal.  R. Mercuri.

>Date: Thu, 19 Sep 2002 10:56:22 -0700
>To: Recipient List Suppressed:;
>Subject: Caltech-MIT Team Find 35% Improvement in Florida's Voting Technology

>For Immediate Release
>September 19, 2002

>Caltech-MIT Team Finds 35% Improvement in Florida's Voting Technology

>PASADENA, Calif. - If one measures election success by equipment
>performance alone, Florida's push to get new voting equipment
>on-line for the 2002 election appears to have paid off.

>Compared with the performance of equipment in past Florida state
>primary elections, the new technologies for casting and counting
>ballots look like clear improvements according to experts at the
>California Institute of Technology and the Massachusetts Institute
>of Technology.

>Researchers from the Caltech/MIT Voting Technology Project
>calculated the rate of residual votes (ballots on which no votes or
>too many votes were recorded) for the largest counties in Florida
>for the 2002 Democratic Gubernatorial Primary and for the last three
>Gubernatorial General Elections in Florida (1990, 1994, and 1998).
>These counties are Brevard, Broward, Duval, Hillsborough,
>Miami-Dade, Palm Beach, and Pinellas.

>The residual vote rate, it appears, has been substantially reduced
>as a result of the election reform efforts of the past year. On
>average, 2.0 percent of Democratic voters recorded no vote for
>governor in these seven counties.  In past elections, the average
>has been 3.1 percent.  This is a 35 percent improvement in
>performance.

>The largest apparent improvements came in Brevard and Duval
>counties, which switched from punch cards to optically scanned paper
>ballots.  The remaining counties purchased new touch screen or
>Direct Recording Electronic (DRE) machines.  All of the counties
>show some improvement in their capacity to record and count votes.

>Residual Vote Rates for Governor in the 7 Largest Florida Counties
>County 2002 Voting Equipment Residual Vote Rate
>      Demo Primary.                   Gen. Gen. Gen.
>                  2002    1998  Ave.  1998 1994 1990
>Brevard      1.0% Scanner Punch 4.2%  2.6% 4.5% 5.4%
>Broward      2.0  DRE     Punch 2.6%  2.7  1.9  3.3
>Dade         3.0  DRE     Punch 3.2%  4.0  2.7  3.2
>Duval        2.2  Scanner Punch 3.4%  3.1  2.5  4.5
>Hillsborough 1.6  DRE     Punch 2.3%  2.7  1.9  N/A
>Palm Beach   2.3  DRE     Punch 3.1%  3.7  2.3  3.3
>Pinellas     1.9  DRE     Punch 2.2%  2.3  1.9  2.3
>Total        2.0                3.1%
  [General elections; PGN approximate reconstitution of a garbled table]

>Source: Florida Division of Elections and county election offices
>of each county.

>(This table may lose formatting in your email program, see accurate [...]

>"These results are very encouraging," said Stephen Ansolabehere, a
>professor at the Massachusetts Institute of Technology and
>co-director of the project. "Florida made a major effort to upgrade
>its technology and, in the primary, the machines used showed clear
>gains over the technologies in past elections."

>Professor Charles Stewart, another MIT professor working on the
>Voting Technology Project, cautions that "the success of an election
>cannot be measured solely in terms of equipment performance.
>Current events in Florida also illustrate how better technology is
>just a first step in improving the functioning of democracy."
>Stewart said, "Most of the problems reported by journalists covering
>the 2002 Primary Elections in Florida did not concern equipment
>malfunctions, but problems encountered preparing for election day,
>such as training poll workers."

>R. Michael Alvarez, co-director of the Voting Technology Project and
>professor of political science at the California Institute of
>Technology, said "As counties and states across the country,
>especially here in California, plan out similar changes, we are
>learning important lessons about how to make such important changes
>in voting technologies."

>"The one distressing thing, though, are the reports from Florida
>that polling place workers had difficulties getting some of the new
>voting machines up and running on election day in Florida, and that
>as a result, some voters might have been turned away from the
>polling places. These reports reinforce our calls for more polling
>place workers and better training of polling place workers, as they
>provide a critical role in making sure that all votes are counted,"
>Alvarez said.

>MIT's Stewart adds "The fact that the congressional election reform
>bill is currently stalled in a House-Senate conference committee
>hasn't helped matters any."

>The Caltech/MIT Voting Technology Project is a non-partisan research
>project, formed to study election systems following the 2000
>presidential election and sponsored by the Carnegie Corporation.
>More information and copies of reports are available at
>www.vote.caltech.edu.

>MEDIA CONTACT: Jill Perry, Caltech Media Relations Director
> (626) 395-3226

> Sarah Wright or Ken Campbell, MIT News Office
> 617 253-2700

>Jill Perry
>Media Relations Director
>California Institute of Technology (Caltech)
>Mailing Address: Mail Code 0-71, Pasadena, CA 91125
>Street Address: 315 S. Hill Ave., Pasadena, CA 91106
>Ph: (626) 395-3226
>Fax: (626) 577-5492
>jperry@caltech.edu

 - - - - -

NEWS RELEASE, September 24, 2002

Rebecca Mercuri rebuts recent MIT/CalTech voting systems analysis and
calls for moratorium on new electronic balloting equipment purchases

After reviewing the press release issued September 19 by MIT and CalTech,
electronic voting system expert Rebecca Mercuri revealed that "the
conclusion that MIT/CalTech researchers has drawn, that Florida's new voting
technology shows a 35% improvement, is based on a flawed analysis and is
likely erroneous."  She goes on to state that not only are the researchers
comparing "apples to oranges" in terms of the types of technologies surveyed
(punch-cards versus optically scanned and DRE machines), but they have
misleadingly compared Gubernatorial general election results to
Gubernatorial primary results (and only for the Democrats in the 2002
primary).

It is well known that voters in general elections turn out in far greater
numbers (in Florida it is estimated that the November election will show a
400% increase or more) than in primaries, putting greater strain on the
performance of systems as well as on poll workers and voters.  The balloting
style of the typical primary voter (usually a party insider, and certainly a
partisan with a larger interest in selecting candidates for each race on the
ballot) is quite different from the general election voter, where
independents and other non-declared or minority party affiliation citizens
are permitted to cast ballots.  Thus, only in November will we be able to
ascertain whether the residual vote rate has actually "improved." Hence,
Dr. Mercuri asserts, "the conclusion is premature, as well as flawed."

Laudatory statements made by Stephen Ansolabehere, Charles Stuart and
R. Michael Alvarez regarding Florida's new voting systems are also sorely
misleading, and do not support their conclusion of 35% improvement.  MIT
Professor Stuart's comment that "most of the problems covered by
journalists...did not concern equipment malfunctions" is not based on an
analysis of the numerous and severe voting system problems that occurred
throughout the state, but rather on the media reports that surfaced.  Many
equipment malfunctions were reported by the Associated Press and other news
bureaus, but these were obfuscated by the public interest stories that
alternatively showed voters "pleased with the new equipment" or being
"turned away from the polls in droves."

A lot of the media attention focused on press comments by Governor Jeb Bush
and members of his staff who erroneously characterized the problems as being
based only in two counties (Miami-Dade and Broward) and blamed the poll
workers and election officials there for the situation.  In actuality,
Miami-Dade and Broward could not have purchased the ES&S machines had they
not been pre-certified by the state for use.  Sadly, this certification
failed to provide the counties or their poll workers with sufficient
notification as to the fact that the voting machines would take 10 minutes
to start up, with the ones outfitted for the visually impaired taking an
astonishing 23 minutes.  Some machines also contained a "safety feature"
that did not permit them to be turned on before 6AM on election day.  Since
each unit is activated sequentially, simple math shows that a polling place
containing 10 voting machines, with one outfitted for the visually impaired,
would not be fully operational until nearly 8AM (an hour after the polls
opened) under the best conditions.  Mercuri states: "I certainly do not see
how this can be blamed on the poll-workers, nor how it constitutes an
improvement.  I'm hard pressed to think of any computer equipment
manufactured after the 1970's that takes 23 minutes to be started,
especially those deployed for use entirely in time-critical operations.  The
failure by MIT/CalTech to raise serious concerns about the engineering of
these products is remiss."

MIT's Ansolabehere stated that "the machines used showed clear gains over
the technologies used in past elections."  To which Dr. Mercuri replies:
"Yes perhaps, if one considers declaring a state of emergency (under threat
of lawsuit by a major candidate) and extending the election day by two hours
a "clear gain."  How about in Union County, Florida, where 2,700 optically
scanned ballots had to be hand counted, because the computers were
erroneously programmed to only tally votes for Republican candidates? At
least there, the ballots could be recounted because they were on paper.
What about the precinct in southern Florida that showed a 1200% voter
turnout (12 times as many voters as were registered) because the DRE
activation cards permitted voters to cast ballots on machines in the same
building that were not in their precinct?  And what about some precincts in
Miami-Dade and Broward where the vote cartridges reflected over 40% residual
votes (lost or missing) and data had to be "extracted" from back-up memory
inside of the machines (one wonders how trusted the reconstructed results
can be)?"

CalTech's Alvarez states "we are learning important lessons about how to
make such important changes in voting technologies" and Mercuri asks: "Is it
fair to allow Florida and other states and communities to feel pressured to
replace their voting systems while being treated as guinea pigs?  Is the
United States prepared to reimburse communities for defective and obsolete
equipment once new standards are in place (since all election equipment is
still being inspected by the National Association of State Election
Directors testing authorities to the outdated 1990 Federal Election
Commission guidelines)? Is it acceptable to certify voting equipment that
can be reprogrammed internally via a portal on the device (as some were,
only weeks before the election in Palm Beach County as well as elsewhere in
the state)?  These new technologies are playing a role in electing
government officials - the confidence citizens have in the democratic
process is at stake."

Mercuri, who has testified before the U.S. House Science Committee regarding
the need for involvement of the National Institute of Standards and
Technologies in establishing criteria for the procurement and testing of
election equipment, feels that congressional election reform is sorely
needed. But, she notes that many of the laws proposed at federal and state
levels, or enacted since 2000, have been weakly worded so as to permit the
production of election equipment that does not provide an independent means
whereby voters can verify human-readable ballots that are secured and
available for recounts. "Real election reform," Mercuri says, "is only
possible within a context of adequate and enforceable standards for
construction, testing, and deployment of voting equipment."

But Mercuri worries that the trend to full automation of the voting process
could be used to conceal election fraud. She warns, "It is entirely possible
that Florida and other states may smooth out their election day problems
such that it appears that the voting systems are functioning properly, but
votes could still be shifted or lost in small percentages, enough to affect
the outcome of an election, within the self-auditing machines.  Whether this
occurs maliciously or accidentally, it presents a frightening prospect.
Thankfully, new products are being developed that provide the voter with a
way to determine that their ballot has been tabulated correctly, without
revealing the contents of their vote, but deployment of such systems is a
few years down the road."

For these reasons, Dr. Mercuri has requested a moratorium on the purchase of
any new voting systems that do not provide, at minimum, a voter-verified,
hand-recountable, physical (paper) ballot while appropriate laws, standards,
and technologies are developed that will provide accurate, secure, reliable,
and auditable voting systems. She urges MIT, CalTech, and other concerned
scientists, public officials and private citizens to join her in this cause.

For further information contact:

Rebecca Mercuri, Ph.D.
P.O. Box 1166, Phila. PA 19105
609/895-1375, 215/327-7105
www.notablesoftware.com/evote.html
mercuri@acm.org


Cost cutting endangers hospital power

<"Rich Brown" <rabbav@freemars.org>>
Sat, 21 Sep 2002 09:07:00 -0500

http://www.twincities.com/mld/twincities/news/4119286.htm

  [The above URL may disappear before this issue appears.]

There is no individual villian here - it took the combination of a power
company willing to reduce reliability in the name of cutting costs and
errors installing the (multiple) hospital generators to cut operating room
power.


South Wales train leaves without driver

<"Fuzzy Gorilla" <fuzzygorilla@euroseek.com>>
Wed, 18 Sep 2002 18:39:30 -0400

Another episode of a train leaving the station without its driver occurred
on a South Wales commuter train between Rhymney and Cardiff.  The driver,
who had been chatting with railway workers on the platform, did a 100-yard
sprint to catch up with the train.  However, a spokesman for Valley Lines
reportedly said that the train would have stopped automatically in another
fifty yards.  [Source: All Aboard! Except for Driver of Runaway Train,
Reuters item, 18 Sep 2002, via Yahoo; PGN-ed; perhaps the driver was in
training (sprintwise)?]
  http://dailynews.yahoo.com/news?tmpl=story2&u=/nm/20020918/od_nm/train_dc


Greek government doesn't quite ban electronic games

<Bruce Anderson <bruce-anderson@rogers.com>>
Fri, 13 Sep 2002 20:27:30 -0400

This one sounded too far out, so I checked with the local Greek consulate.
(My question to them was "is this a hoax?", quoting the Web page referenced
in RISKS-22.23.)  Here is their reply.  I hope this clears the air a bit.

  After we received your e-mail we have forwarded it to the Press Office of
  the Greek Embassy in Ottawa. They have informed us they are aware of these
  articles but they are not accurate. The New Greek Law has banned all games
  that can be used for gambling or modified for gambling purposes even if
  they exist in private spaces (Only Casinos are excluded from the banning).
  However neither foreign tourists neither Greek citizens will be prosecuted
  when they use cell phones with games , or lap tops in which games are
  installed or any portable game consoles for example :play stations,
  gameboys, x-box etc, since these games cannot be modified for gambling and
  furthermore the owner doesn't insert coins or credit cards in order to
  continue using them. We hope that this answers your question.


Yet another intrusive Web site

<Michael Ortega-Binderberger <miki@ics.uci.edu>>
Thu, 12 Sep 2002 02:50:13 -0700 (PDT)

A few days back, and with the september 11 anniversary, a local news station
in Los Angeles, CA (reasonably large audience) advertised the efforts of a
Web site called 4MyEmergency.com.  The idea is that most people do not have
all their personal information "together" in case of a disaster, and the
Web site wants to help you get your act together. Its full of good wishes,
privacy pledge, etc. so far so good.

What the Web site does for you is to generate a report that you can leave
with a loved one in case of disaster.  Unfortunately, disaster can come much
earlier thanks to its information gathering process. It asks you in a series
of 7 forms all conceivable information about yourself: name, address/phone,
birthdate, names/phones of family, friends, your doctor,dentist, pharmacist
and insurance agent, your medical history, home, car, health and life
insurance policies (the company, phone, policy numbers and where they are),
home security company and even though they don't "recommend" you give them
your security code, yep, there you can write it down if you so choose. To
make you feel good, you can also include your religious and pet information
to go with your credit card, banking, accountant, attorney and real estate
information.

Its actually so concerned with security that it does not ask for your social
security number, you can just write it down on the final printout, or "mail
it to a friend or family member you trust".

The homepage states that "For additional security, this Web site uses the
highest level encryption." However, all of this is transmitted in the clear
with not even SSL encryption to a Web site that has no credibility beyond
good wishes and a click-through privacy agreement.

To be fair, most fields are optional, but then, why would anyone use it in
the first place?

The RISKS? The information they collect is tailor made for identity theft,
they have no security, and the media is giving them a free pass and even
some promotion despite frequent warnings about identity theft in southern
California.


Air passenger jailed for using mobile

<George Roussos <gr@dcs.bbk.ac.uk>>
Wed, 11 Sep 2002 16:25:51 +0100 (BST)

A passenger who played a game on his mobile phone during a flight has been
jailed for four months.  (BBC coverage at:
  http://news.bbc.co.uk/1/hi/england/2248683.stm)

The risks of playing Tetris!


Re: Microsoft says Win 2000 hacking outbreak subsides (RISKS-22.24)

<mike.patnode@teradyne.com>
Thu, 12 Sep 2002 16:28:01 -0400

> MS urges us to take preventive measures to protect themselves against
> future attacks: eliminate blank or weak administrator passwords, disable
> guest accounts, run up-to-date antivirus software, use firewalls to
> protect internal servers, and stay up to date on all security patches.

I just had Windows 2000 installed on my laptop (company policy).  This
software ships with very little security enabled and numerous webs sites,
including Microsoft, tell me to update it and change account settings.  But
it is so hard to figure out what to do!  We are told to change the Admin
password, but also warned that some (unnamed) programs will stop working if
we do this.  The computer help files and Microsoft web site do not tell
which accounts are needed or why.  What I can tell is my machine has now
been changed into a multi-user environment, which is not what I want.  Also
Microsoft tells us to use "snap-ins".  What on earth are they?  Which ones
affect which accounts?  I can't make random changes to my machine, as it has
to work within a corporate network.

I think the reason this is so confusing is Microsoft does not know what are
the correct settings for the many pre-installed accounts and is trying to
make its users figure this out on their own.  Otherwise, wouldn't the
software be shipped with appropriate settings already enabled?


Re: The pinnacle of chutzpah in spam filtering

<abuse@mooli.org.uk (Peter Corlett)>
Wed, 11 Sep 2002 17:05:10 +0000 (UTC)

>     [Why you'd have a content filter on an 'abuse@...' is beyond me.]
>        [Because they get lots of spam also?  PGN]

Yes.

I adopted a username of "abuse" in 1998 or so to reduce the amount of spam I
received. It was rather effective. Still, the thieves who want to steal my
bandwidth have now added the new address to their "Trillion Guaranteed
Addresses" CDs and there's a reasonable chunk aimed at my MX hosts.

The MX hosts run abuse@ through my hand-crufted Exim Filter rules and issue
bounces. They're based on header peculiarities caused by certain popular
bits of spamware, so the usual risks of keyword filtering don't seem to
apply in my specific case. I include a phone number in the bounce, and
nobody has complained yet, anyway.

When I used to work on an abuse desk, we had an incredible amount of junk
sent to the abuse@ address as well. Unfortunately, it wasn't sensible to
attempt to filter that lot, exactly because of the noted RISK. Besides, I
wouldn't get the BOFHly pleasure of nuking a user for spamming if I'd lost
the complaint :)


Re: Retrospective Karger/Schell paper on Multics Security Evaluation

<karger@watson.ibm.com>
Wed, 25 Sep 2002 17:48:05 -0400

Since our paper was reviewed this week on both RISKS (Summit, RISKS-22.25),
people who downloaded it may be interested in obtaining a newly revised copy
that includes a few small changes based on some of the comments and
suggestions we have received, as well as some typographical corrections.
Roger and I thank everyone who sent us comments (from Slashdot, RISKS, and
open-source), as they were most helpful.

The URL remains the same:

http://domino.watson.ibm.com/library/cyberdig.nsf/papers?SearchView&Query=(multics)&SearchMax=10

http://domino.watson.ibm.com/library/cyberdig.nsf/papers
  ?SearchView&Query=(multics)&SearchMax=10
     [broken, if your mailer blows the unbroken version]

Some people downloading it on 24 or 25 September (yesterday and today) may
have run into problems, both with the link to the actual PDF and with two
pages being missing from the PDF.  Both of these problems have now been
resolved, and I hope that they did not cause anyone too much trouble.


REVIEW: "Pearl Harbor Dot Com", Winn Schwartau

<Rob Slade <rslade@sprint.ca>>
Wed, 11 Sep 2002 19:46:31 -0800

BKPRHRDC.RVW   20020628

"Pearl Harbor Dot Com", Winn Schwartau, 2002, 0-9628700-6-4, U$9.99
%A   Winn Schwartau winns@gte.net
%C   11511 Pine St. N., Seminole, FL   33772
%D   2002
%G   0-9628700-6-4
%I   Inter.Pact Press
%O   U$9.99 727-393-6600 fax: 727-393-6361
%P   512 p.
%T   "Pearl Harbor Dot Com"

Dear Winn,

Thank you for the copy of "Pearl Harbor Dot Com."  In recognition of this
book's demonstration of your deep personal commitment to recycling (and at
least you admit that this story started life as "Terminal Compromise": many
don't) I was going to reprint my original review (cf. BKTRMCMP.RVW) but I
suppose that wouldn't be fair to anyone.

You have tightened up the writing considerably.  (With age, and a few more
books under the belt, comes grammar, eh?)  However, I still note "refuse"
for "refuge," a semicolon for "that," "hesitancy" for "hesitation," and a
whole lot of redundancy.  (And what is with your fetish for "Glen Fetich"?)

Your characters are a little more interesting and consistent, although Miles
Foster (and most of the other technical people) still seem to be geek wish
fulfillment.

The plot has more tension, but it is still *way* too convoluted.  You've got
a whole shoal of red herrings (and you know what they say about old fish
after a while) and a ripped-out wiring closet full of loose ends.

Even disregarding a computer system that will crack Blowfish and AES in
seconds, and the wonderful, mythical lethal virtual reality feedback bug, I
still have some technical bones to pick with you.  Why does a power outage
shut down a battery operated radio?  Carbon dioxide does not suck oxygen out
of the air.  And my son-in-law is a pilot on that type of aircraft, and has
had power failures at exactly that point in the flight (the latest due to a
lightning strike).  My grandchildren aren't orphans yet.

I couldn't ignore your "virus" now, could I?  In having it burn out a
printer port, were you trying to resurrect the old "Desert Storm virus"
canard?  I recognized the old timing based video burnout trick and the
somewhat debated issue of excessive diskette read head travel (neither was
ever used in a virus).  But, for crying out loud, if you sold three hundred
million "infected" programs, why would you need a virus?  And if you
distributed that many copies of malware, you think nobody would notice?
(Yes, OK, "Windows."  Partial point to you.  But people are finding bugs in
it every day.)

I agree with your basic point: the general public should be more aware of
the weaknesses in the technology that controls so much of modern life.  But
you don't strengthen your argument by making enough mistakes that it looks
like you don't understand it either.

copyright Robert M. Slade, 1993, 2002   BKPRHRDC.RVW   20020628
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer