The RISKS Digest
Volume 22 Issue 28

Monday, 7th October 2002

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Payroll fail-safes "didn't work"
J. Lasser
Bear Stearns' bare sterns: erroneous order
David Lesher
Raders of the Last Quark
Identity withheld by request
Too fast fingers, or bad shortcut design?
Pertti Huuskonen
Rep. Boucher --finally-- introduces bill to rescind part of DMCA
Declan McCullagh
Defense Information System Agency leaves shopping list online
Quantum cryptography for secure global communications
Busboy pleads guilty to ID theft
Monty Solomon
"Trojan horse" music?
Matthew Anderson
Court will welcome e-mailed explanations of traffic tickets
Dave Stringer-Calvert
Dewie the Turtle == Bert the Turtle
Jason T. Miller
Address change blocked by online entry validation
George N. White III
Batteries: More electronic voting risks?
Re: Electronic voting methods
David Hedley
Re: Paper ballots, no panacea
David F. Skoll
Jan C. Vorbrüggen
Re: Butterfly ballots
George Russell
Info on RISKS (comp.risks)

Payroll fail-safes "didn't work"

<"J. Lasser" <>>
Sat, 28 Sep 2002 14:50:16 -0400

The only overpaid teacher, AP item, 27 Sep 2002

A Detroit public school teacher's pay was enough to make Bill Gates or
Donald Trump envious.  Thanks to a computer glitch, the teacher was paid
$7.9 million before taxes for 18 minutes of work. The teacher, who wasn't
identified, received $4,015,624.80 after taxes.  Someone alerted the school
district earlier this month, and the money was returned after six days,
chief financial officer Ken Forrest said in Thursday's Detroit News.

The error occurred when a clerk entered an employee number in the hourly
wage field for the teacher's wage adjustment check. The district's payroll
software didn't catch the mistake.  "One of the things that came with (the
software) is a fail-safe that prevents that. It doesn't work," Forrest said.
The district has since installed a program to flag any paycheck exceeding
$10,000, he said.

  [Gee, did they test the fix?]

Jon Lasser

Bear Stearns' bare sterns: erroneous order

<David Lesher <>>
Wed, 2 Oct 2002 23:34:42 -0400 (EDT)

> Bear Stearns placed an erroneous order to sell $4 billion worth of stock
> late Wednesday at the New York Stock Exchange, but most of the order was
> canceled before it was executed.  The NYSE said a clerical error caused
> the brokerage house to enter the order to sell $4 billion worth of
> Standard & Poor's securities at about 3:40 p.m. — 20 minutes before the
> stock market closed. The order should have been for $4 million.  All but
> $622 million of the $4 billion transaction was canceled prior to
> execution, the NYSE said in a statement.  The NYSE had no further
> comment. Officials at Bear Stearns were not immediately available for
> comment.  [AP item]

We have talked about sanity checking time after time.  You'd think that a
major move would require MULTIPLE management approvals.....but..

We have met the enemy and he is us...

Raders of the Last Quark

<[Identity withheld by request]>
Fri, 4 Oct 2002

A friend is being admitted to a respected eating-disorders clinic in
Southern California, which I was interested to learn more about.  They have
a fantastic supportive Web site at, mostly
directed at individuals who have plucked up the courage to investigate
treatment options.

However, a small slip of the keyboard can destroy that courage.  Drop the
"s", and redirects you to the Web site of
Nutri/System --- ``your online weight loss solution'' asking ``how much
weight you would like to lose? 10-20 pounds? more than 40?''.  Changing
`rader' to the more intuitive spelling `radar' gives the same results...

The Nutri/System site seems quite legitimate, and of utility to a large
percentage of the population (pun intended).  But to litter the `typo
space' in this way is of potentially life-threatening consequence to the
individuals seeking the Rader Programs site, and thoroughly immoral.

  [Weight!  Wait!  Don't Spell Me!  PGN]

Too fast fingers, or bad shortcut design?

Mon, 30 Sep 2002 10:27:22 +0300

A colleague recently sent me an e-mail containing material that was clearly
not supposed to reach me. Apparently the sender had copied some text from
another e-mail, with the intention to sanitize out the unsuitable bits, but
had accidentally hit "send" before having completed the edits.

While this certainly happens all the the time and should be no news to any
RISKS readers, it did stop me to think about e-mail client UI design.

In our e-mail software, the keyboard shortcut for sending the message out is
CTRL-Enter. In our word processing software (from the same manufacturer) the
command to delete the last word is CTRL-backspace. The same word deletion
method also works in our e-mail client, and seems to get frequent use by
many people.

The two keys are rather close together on most keyboards.  Composing e-mail,
I sometimes accidentally hit CTRL-Enter instead of CTRL-backspace. The
e-mail client then happily sends out the uncompleted e-mail.

Acknowledging my bad keyboard technique, I have chosen to leave my e-mail
client in an offline mode, so I will have time to go back to my Outbox to
rescue any stray e-mail before synchronizing with our IMAP server. I have
therefore had to change my working mode due to the design of keyboard

The RISKS? Bad shortcut design coupled with too fast fingers can cause
embarrassing situations, possibly exposure of improper material, and
increased global demand for an UNDO feature in sendmail.

Rep. Boucher --finally-- introduces bill to rescind part of DMCA

<Declan McCullagh <>>
Fri, 04 Oct 2002 09:02:54 -0700

Here's Boucher talking about this bill as far back as July 2001:

I've put the text of the Boucher bill here:

A similar bill, though not as widely supported, introduced by Rep. Lofgren
is here:

News article on Lofgren bill:


  By Declan McCullagh, Staff Writer, CNET, 3 Oct 2002

  A proposal to defang a controversial copyright law became public on
  Thursday, after more than a year of anticipation and months of closed-door
  negotiations with potential supporters.

  Formally titled the Digital Media Consumers' Rights Act, the new bill
  represents the boldest counterattack yet on recent expansions of copyright
  law that have been driven by entertainment industry firms worried about
  Internet piracy.

  The bill, introduced by Reps. Rick Boucher, D-Va., and John Doolittle,
  R-Calif., would repeal key sections of the 1998 Digital Millennium
  Copyright Act (DMCA). It would also require anyone selling copy-protected
  CDs to include a "prominent and plainly legible" notice that the discs
  include anti-piracy technology that could render them unreadable on some
  players.  [...]

POLITECH — Declan McCullagh's politics and technology mailing list.
You may redistribute this message freely if you include this notice.
To subscribe to Politech:
This message is archived at
Declan McCullagh's photographs are at

Defense Information System Agency leaves shopping list online

<"Peter G. Neumann" <>>
Wed, 2 Oct 2002 11:12:29 PDT

Faulty access controls open DISA's technology requisition system to
snoops. An improperly secured database operated by the U.S. Defense
Information System Agency (DISA) allowed Internet surfers to view and
place orders for computers, networks, cell phones, software, and other
technology used by the military.  Before it was locked down over the
weekend, visitors to the Web site of DISA's Requirements Identification
and Tracking System (RITS) were able to peruse hundreds of requisition
documents, such as a $310,000 order for "new generation STE crypto
devices" in support of the Global Command and Control System.

Quantum cryptography for secure global communications

<"NewsScan" <>>
Fri, 04 Oct 2002 08:36:14 -0700

British researchers have been able to use quantum cryptography keys encoded
in photons of light to communicate through air for 23 kilometers, and the
expectation is that by March of next year this capability will be extended
to 1000 kilometers — far enough to reach all LEO satellites. Because any
measure of a photon will alter its quantum properties, quantum cryptography
guarantees that any attempt to intercept a message will be evident. (*New
Scientist*, 2 Oct 2002; NewsScan Daily, 4 Oct 2002)

Busboy pleads guilty to ID theft

<Monty Solomon <>>
Fri, 4 Oct 2002 01:37:45 -0400

A 32-year-old restaurant busboy pleaded guilty on Thursday to pilfering
personal and financial data belonging to America's rich and famous,
including billionaire Warren Buffett.  Abraham Abdallah, a high-school
dropout, entered his guilty plea in response to a 12-count indictment
charging him with wire, mail, and credit-card fraud, identity theft, and
conspiracy — in what authorities believe is the largest identity theft in
Internet history.  The federal case accuses Abdallah of using the
information as part of a scheme to steal more than $80 million from
individuals, corporations and financial institutions.  Although he pleaded
guilty, Abdallah told U.S. District Judge Loretta Preska he was not driven
by greed. ... Reuters, 3 Oct 2002

  [This case was reported originally in RISKS-21.29.  PGN]

"Trojan horse" music?

<"Matthew Anderson" <>>
Thu, 3 Oct 2002 08:35:07 -0400

Per an announcement in from Steath MediaLabs, Inc.,, quote:

"How many unpaid copies of music would you circulate if each contained your
own credit-card number?...  Built upon a new MS Windows Media-compatible
technology...  The StealthChannel is capable of stealthily embedding up to
20 kb/s of data into almost any digital audio signal.  Embedded data can be
anything from images to text to credit-card numbers...  In most cases, data
hidden in the StealthChannel can be embedded without increasing filesize..."

They go on to mention that this is intended to be used as a "carrot" for
those that do authorized copying of music by providing "goodies" such as
discounted tickets or a couple of chapters of books yet to be published...
It doesn't take much imagination to see the risks of this technology...
Music companies "releasing" singles that when executed, check for other
"unauthorized" music files and then delete them or at least send a list back
to the music company for legal prosecution, Songs released to Kazmaa or
Gnutella that have viruses embedded in them, etc.

The only limitation (currently, wait till future releases of MS Media
players) is that you need the Stealth MediaLab plug-in to execute these
"goodies".  Ah, to go back to the good old days of having to worry only
about subliminal messages and what the music said when play backwards...

M@ Anderson, Enterprise Architect, American Financial Group
580 Walnut Street, Cincinnati, OH  (513) 412-4457

Court will welcome e-mailed explanations of traffic tickets

<Dave Stringer-Calvert <>>
Wed, 02 Oct 2002 11:01:06 -0700

Tell it to the judge - or better yet, e-mail it to the judge. County
officials are setting up a program under which people who get traffic
tickets can e-mail their excuses and explanations to a judge.  Until now,
they'd have to sit for hours in court, waiting for a hearing. So far this
year in the county, there have been more than 1,200 people who want to
explain to a judge the circumstances surrounding their traffic tickets.
After reading the e-mails, the judges will send their reply - either by
e-mail, or an old-fashioned postcard.

  [Mike Hogsett asked,
    "How long until someone writes the automated excuse generator?  And
    starts collecting stats for them so that only the successful ones are

Dewie the Turtle == Bert the Turtle

Mon, 30 Sep 2002 08:56:42 -0500 (EST)

Looking at Dewie the Turtle (RISKS-22.27), I can't help but be reminded of
Bert the Turtle from "Duck and Cover" (available at
). As a matter of fact, looking at the "totality of security measures"
taken since September 11th, I can't help but be reminded of "Duck and
Cover"; "what has changed" since that fateful day is of no more importance
to the "security" of this nation or its people than the bombproof
school desks of yesteryear.

In re Dewie, I notice the essential difference between cyber security and
civil defense in light of the atomic bomb — since there was nothing a young
child could reasonably do to mitigate the risk of atomic attack, it is
reasonable to "at least calm their nerves", at the very least it does no
harm. In the case of cyber security, from the perspective of someone who
sees so much of IT as _fundamentally_ insecure, providing such a "false
sense" of the same seems ill-advised, as it encourages us to deny the causes
of our problems rather than to fix them (standard practice in the computer
industry, but practice that will have to change if we're going to
_materially_ improve IT security) — in other words, to "cure the symptoms"
while leaving the disease untouched.

The same could of course be said about US "antiterrorism" policy in general,
but RISKS is of course not the place for such a discussion.

Jason T. Miller, One View Engineering  317-915-9039 ext. 302

  [URL also noted by Richard Akerman.  PGN]

Address change blocked by online entry validation

<"George N. White III" <>>
Thu, 3 Oct 2002 22:16:48 -0300 (ADT)

Canada Post recently changed my home mailing address.  Previously my address
involved a rural route number and mail was addressed to the town in which
the post office was situated.  The new address has the same street and
number, but omits the rural route designation and has a different town and
postal code.  This change was first announced over a year ago, but the new
postal codes were only announced a few weeks ago, and are "official" on
Oct. 21, 2002.

BC (before computers) I would simply have mailed change-of-address cards
that take only minutes to fill out. Now I have a choice. I can spend minutes
online trying to find an actual mailing address, or minutes filling out an
online form, only to find that the new address fails the online entry
validation when I submit the form.

Many of the companies I deal with, including well-known online retailers,
allow customers to update their personal information online.  In one case,
when I clicked "submit", the result was an error page stating that my postal
code was not valid for my street address.  After contacting customer
support, I was told that I could bypass the checks by submitting the form a
second time.

The risks here are from data validation systems which assume that there is a
unique mapping (e.g., between street address and postal code) and can only
be updated at a single point in time, so users will be making updated
entries before the database has been updated, or will fail to make the
update so their records become "invalid" when the mapping is updated.
During a transaction, a mailing address is required when the order is
placed.  Credit card companies may check the shipping address when the
charge is applied, hopefully not long before when the item is ready to ship.

My new postal code is interesting, as it consists entirely of pairs of
easily confused letters and numbers: "2Z", "3B", and "6G". Was this
error-prone code rejected when postal codes were first issued, and then
pressed into service when a new code was required? It will be interesting to
observe how often errors are made by people manually transcribing the values
I entered in WWW address forms into their mailing databases.

George N. White III  <>
Head of St. Margarets Bay, Nova Scotia, Canada

Batteries: more electronic voting risks

Tue, 01 Oct 2002 13:44:34 -0700

Office evacuated when box of batteries explodes

A box of recycled nickel-cadmium batteries used in voting machines exploded
at a county building Monday afternoon. No one was injured, but about 30
employees were evacuated from the Elections Office at 40 Tower Road.

Around 3:30 p.m., the box of about 1,100 button-shaped batteries blew up,
scattering small metal pieces 10 to 15 feet in all directions of the
warehouse where they were stored, according to Capt. Gary So of the
California Department of Forestry.

So theorized that some of the used batteries had charges left and when
their negative terminals touched, heat built up and they exploded.

Re: Electronic voting methods (RISKS-22.25 and 27)

<David Hedley <>>
Sun, 29 Sep 2002 11:06:05 +0100

Re: Paper ballots, no panacea (Neff, RISKS-22.27)

Andy Neff states in RISKS-22.27 "Paper ballots ... still have to be counted
by machines in an election of any reasonable size."

Not so. British elections still [mostly] consist of voters manually entering
'X' in a box adjoining the candidate's name on a sheet of paper.  For each
constituency [ranging from 1,000,000 eligible voters in a European election
to 1,000 in town elections] these sheets of paper are then brought together
and counted manually. Candidates (or their agents) are allowed to observe
the process.

  [Also noted in the UK by T Panton. in provincial and federal elections
  in Canada by Charles Cazabon, and David Skoll (next).  PGN]

Being a human process, mistakes will of course be made. If the finall totals
are close, the losing candidate may request a recount. Manual recounts will
continue until everyone is satisfied. In extreme cases where candidates are
separated by 1 or 2 votes, there will be several recounts.

It's old technology and not very flashy, but it's demonstrably accurate and

However the government is now going down the road of making voting sexier
by trying out new-fangled (even online) voting methods. I fear the worst ...

RE: Elections In America - Assume Crooks Are In Control (Landis, RISKS-22.25)

Lynn Landis stated in RISKS-22.25 "As far as we know, some guy from Russia
could be controlling the outcome of computerized elections in the United

She is partially correct.  I say "As far as I know, some guy from the United
States could be controlling the outcome of computerized elections in the
United States."

For many of us in Europe, the US voting system lost all credibility in the
last presidential election.

Re: Paper ballots, no panacea (Neff, RISKS-22.27)

<"David F. Skoll" <>>
Sun, 29 Sep 2002 00:46:35 -0400 (EDT)

  "Paper ballots, be they optical scan or punch card, still have to be
  counted by machines in an election of any reasonable size."

This is manifestly not so.  Paper ballots can easily be counted by hand,
providing enough people do the counting.  The proper way to count ballots is
to have officers and witnesses count the ballots for each polling station,
and then send their totals to regional tallying centers.  These regional
centers add up the votes and send their totals to national centers.  By
having a tree of counters, and officials from all interested parties at each
stage, truly huge numbers of votes can easily be counted by humans.

If the election is close or results are contested, then the paper
ballots are available for recounting.  A human recount of all ballots
may be slow, but it wouldn't be needed most of the time.

Paper-based solutions can be badly designed, as Neff points out, but a
well-designed paper solution is about the best we have, in spite of modern

Re: Paper ballots, no panacea (Neff, RISKS-22.27)

<"Jan C. Vorbrüggen" <>>
Mon, 30 Sep 2002 18:11:07 +0200

> 1) As most who witnessed the 2000 US Presidential Election agree, paper
> ballots created problems. Paper ballots, be they optical scan or punch card,
> still have to be counted by machines in an election of any reasonable
> size.

There was a general election in Germany a little more than a week ago. From
61 million eligible voters out of a population of a little over 80 million,
79% or about 48 million actually voted, each having two votes. I think this
qualifies as "reasonable size".

The ballot is one piece of paper, on which one has to make a mark in each
of two columns. Thus, about 48 million sheets of paper were counted entirely
by hand, although I'm sure the tallying above the level of the voting locale
is done electronically (this is logarithmic in the number of votes counted
in any case). Usually, it takes about six to seven hours to arrive at the
"vorläufige amtliche Endergebnis" - roughly, the "provisional official final
result". This time, due to some of the election officials leaving their job
when it was half done, it took almost ten hours to get to that point. Cost:
about one Euro (approx. one US dollar) per eligible voter.

I see no reason to believe that this isn't applicable to almost all types of
election. Even the most complicated of elections in Bavaria, where the voter
has a large number of votes he can distribute, or not, according to certain
rules to those wanting to be elected, take at most two days to get to the
final result - the main effect is that the number of invalid ballots is much
larger than the usual ~1%, and here a computerized system would surely be
able to help in filling out the form according to the rules.

Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen
+49 201 437 52 52

Re: Butterfly ballots (Neff, RISKS-22.27)

<George Russell <>>
Mon, 30 Sep 2002 13:43:21 +0200

> Re: Paper ballots, no panacea
> Remember the butterfly ballot in Palm Beach County, Florida ...

I think what the butterfly ballot problem indicates is that ballot papers
should be designed for humans, not machines.  I have voted in both the UK
and Germany, and I think I am not alone among Europeans in finding the
current American debate surreal.  We all have systems where ballot papers
have two columns, with the candidates' names and/or parties listed in the
first column, and boxes next to these names in which you put a cross or (for
STV systems) a number.  All votes are counted at least once, by humans, and
(at least the UK) the candidates are entitled to send along representatives
to watch every stage of the process.  Where there is a problem which might
affect the result of an election it ends up in the courts; for example a few
years ago a local election turned on whether someone who had put a gigantic
cross over the entire ballot paper intended to vote for the candidate whose
box contained the centre of the cross, or just intended to spoil the paper.
But this is so rare it hardly ever happens.  The system is so obvious and so
simple it is embarrassing to have to spell it in comp.risks, but I can't
understand why American states instead seem addicted to mechanical solutions
which will invariably go wrong somehow.

Furthermore I just don't see the point of letting machines do the counting,
but keeping backup paper ballots for humans to count just in case the
machines go wrong or one of the candidates smells a rat.  Why keep paper
ballots unless you have trained and experienced humans in place to count
them?  And if you have that, why not just get the humans to count the papers
in the first place?  In the UK if the candidates dispute the result of a
close-run election they can call for a recount.  This is I think much
quicker than the original count, since the ballot papers are already sorted,
and it is only a question of checking that they are all correctly
distributed.  I'd have to check the Guinness Book of Records for this, but I
think the record number of counts in a British General Election is something
like 7, and it took about 20 hours from when the polls closed.  A far cry
from Florida in 2000, where it wasn't possible to count every vote even once
in several months.

I suppose American states choose to do counting by machines because it's
cheaper.  But you'd think that given that we only vote once every few years,
it might be worth spending a dollar or two per voter (I doubt if it costs
anything nearly as much as that in the UK) to see that you get every vote
counted properly.

I don't want to pretend the British system is perfect; you have other issues
like the security problems allocating postal votes in the 2001 General
Election, and the risk that, because there is no British identity card, it
is very easy to vote pretending to be somebody else.  But these are
orthogonal to the question of how you actually vote and count the votes.

I'm not an expert at all.  I feel incredibly naive.  But at least would
someone be good enough to explain in baby-talk why it is necessary to have
complex mechanical systems at all, when the simple paper one seems to work
so well.

  [Incidentally, the butterfly ballot is apparently technically illegal
  in Florida, but was approved anyway.  PGN]

Please report problems with the web pages to the maintainer