The RISKS Digest
Volume 22 Issue 38

Wednesday, 13th November 2002

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Wireless keyboard
Mike Hogsett
Server crash leaves students unable to register
Max Power
Colleges urged not to monitor peer-to-peer sharing
Re: Hartford Public Library Net Browsing - Bugged or Not?
George Mannes
More on the Autotote scam
Joke not so funny anymore
Toby Gottfried
Chip glitch hands victory to wrong candidate
Glitches indeed!
Rebecca Mercuri
Steven Hertzberg
Election integrity in general
Re: Lynn Landes's analysis of the 2002 Elections
Rebecca Mercuri
Re: Zogby poll failures
Henry Baker
REVIEW: "Manager's Guide to Contingency Planning for Disasters", Kenneth N. Myers
Rob Slade
REVIEW: "High Technology Crime Investigator's Handbook", Gerald L. Kovacich/William C. Boni
Rob Slade
Info on RISKS (comp.risks)

Wireless keyboard

<Mike Hogsett <>>
Mon, 11 Nov 2002 11:31:50 -0800

While a Stavanger man typed away at his desktop computer, his text was also
streaming in on his neighbor's machine in a building 150 meters away.

All I can say is Why-re-less?

 - Mike Hogsett

Server crash leaves students unable to register

<Max Power <>>
Tue, 12 Nov 2002 18:23:46 -0800 (PST)

The five servers that handle Washington University's class registration
crashed on 8 Nov 2002, preventing several thousand students from signing up
for their winter-quarter classes for most of the day.  This was attributed
to a system software problem rather than an overload problem: The software
translating students' Net IDs into student numbers was running much slower
than previously.  14,000 students were eligible to register, as opposed to
only 1,000 in the spring quarter.  Ironically, this came shortly after the
Registrar's Office had permanently shut down its Student Telephone Assisted
Registration system (STAR), because of phone-line costs and lack of use.
[Source: Alex Sundby, *The Daily*, Washington University, 12 Nov 2002; PGN-ed]

Colleges urged not to monitor peer-to-peer sharing

<"NewsScan" <>>
Mon, 11 Nov 2002 10:05:51 -0700

The Electronic Privacy Information Center (EPIC), a Washington-based
nonprofit organization that promotes freedom of speech on the Internet, is
attacking letters recently written by the recording industry asking college
officials to monitor Web use at their institutions for copyright violations
made through peer-to-peer sharing of music or video files by members of the
academic community. EPIC is criticizing those letters for trying to shift
the burden of content enforcement to academic institutions which have scarce
resources for such purposes, and is warning against a network "arms race"
between file sharers and copyright enforcers. The group thinks colleges
should avoid adopting a "confrontational role with respect to these
technologies," because all it would do would be to harm the network's
overall performance. [IDG News Service 11 Nov 2002; NewsScan Daily, 11 Nov

Re: Hartford Public Library Net Browsing - Bugged or Not? (R-22.35)

Mon, 11 Nov 2002 11:54:39 -0500

Bill Olds' *Hartford Courant* column "The FBI Has Bugged Our Public
Libraries" was excerpted starkly in RISKS-22.35.  The column apparently
cited "anonymous sources".  The FBI responded, claiming the information was
false, and the paper now admits it should have been more rigorous in
checking the details.  Olds said, "I called the Justice Department but I was
told they could not discuss issues involving the FBI and libraries. ... In
the atmosphere of secrecy created by the Patriot Act, my sources
misinterpreted what the FBI was doing."  As Don Sellar, ombudsman at *The
Toronto Star*, once said, "When the sources are wrong, they're wrong
anonymously and it's the newspaper's credibility that gets publicly dented."
[Source: "Anonymous Sources, Bad Information", Karen Hunter, *Hartford
Courant*, 10 Nov 2002; PGN-ed],0,6354989.column

George Mannes, 14 Wall Street - 15th Floor / New York, NY  10005
phone: 212-321-5208 / mobile: 917-207-5790

More on the Autotote scam (RISKS-22.35)

<"Peter G. Neumann" <>>
Wed, 13 Nov 2002 10:20:18 PST

The saga of the PickSix winner that culminated in a wild-card bet on every
horse in the Breeders' Cup Classic (the horse race with the U.S.'s largest
pot) continues, and provides a timely set of lessons, for example:

 * The intense risks of insider misuse in certain types of systems
 * The perils of poor system designs that seriously ignore security
 * The importance of audit trails, and especially nontamperable ones
 * The value of truly independent unbiased objective security audits
   by really knowledgeable and experienced red-teaming experts

Whenever such an unusual event involving a large payout is detected, an
immediate concern should be this: Have there been other similar cases that
were not previously noticed?  In the Breeders' Cup case, it was soon
thereafter discovered that the same type of scam had been pulled at least
twice previously, and that all of the apparent participants are linked by a
bond of fraternity brotherhood from their undergraduate days at Drexel
University.  In each subsequently uncovered scam, as well as in the
Breeders' Cup case, an off-track bet from a particular betting parlor that
did not keep records of phone-in bets was subsequently altered by insider
system manipulation AFTER the results of the early races were known, but
before the records were transmitted to the central facility.  [If you want
the background on the cases and the individuals involved, see the series of
articles in *The New York Times*, 9 Nov, 10 Nov, and 13 Nov.]

And then, you might ask, have there been other cases of undetected insider
fraud in gambling systems?  There have certainly been publicly admitted
precedents of rigged gambling payoffs, perhaps most notably the Harrah's
Tahoe $1.7 million progressive multiple-slot-machine jackpot that reportedly
was triggered by insiders, although the exact details of that event almost
20 years ago are still not widely known.  We have also noted in RISKS that
you might want to wonder about the trustworthiness and integrity of on-line
gambling systems.  But perhaps MOST INSIDIOUS from the effect on the
populace at large is that implicit in all those discussions are that the
same concerns arise in the all-electronic voting machines, as noted in
recent RISKS issues (including this one).  In the horse-race betting cases,
even if there had been audit records as to the exact bets that were later
altered (there were no such audit trails on the OTB system used for the
exploits), a really clever perpetrator with insider access privileges might
have been able to alter the audit records without being detected unless the
audit mechanism was totally nontamperable (which is generally considered to
be either overkill or practically impossible despite the existence of
once-writable media).  In all computing environments where something is
valued (especially gambling, electronic voting, national security,
intelligence, counter-intelligence, supposedly secure databases with
stringent privacy policies, etc.), the presence of overprivileged insiders
and the absence of nontamperable audit trails must both be considered as
warning indicators.

Joke not so funny anymore

<"Toby Gottfried" <>>
Mon, 11 Nov 2002 08:46:31 -0800

I am reminded of an old election joke,
which seems like less and less of a joke.

  A third world country decided to go democratic, turning to the USA for
  guidance.  On a limited budget, they could only afford second-hand
  equipment and got some voting machines from the city of Chicago.

  With great fanfare, they held their election, with Fyodor Guantanamo
  running against Kwame Santahara.

  The winner was ...
     Richard J. Daley.

Chip glitch hands victory to wrong candidate

<"Peter G. Neumann" <>>
Tue, 12 Nov 2002 13:43:00 PST

In Nebraska, a defective computer chip in Scurry County's optical scanner
misread ballots Tuesday night and incorrectly tallied a landslide for the
wrong party.  Investigation led to the diagnosis of a faulty chip, which
when replaced reversed the outcomes in two commissioner races, verified
by a hand recount, from Republican victories to Democratic victories.
  [Source:; PGN-ed]

  For some other irregularities in Nebraska, see VoteWatch (next item).

Glitches indeed

<"Rebecca Mercuri" <>>
Tue, 12 Nov 2002 19:20:49 -0500

You think the November 5, 2002 US General Election went smoothly?

Use your favorite Web engine and search for the words "election" and
"glitch" — a recent scan on Google News turned up hundreds of press
reports. Not all of these troubles were in Florida — states included Texas,
Alabama, Nevada, Georgia, California, South Carolina, Nebraska, and New
Jersey.  Voter News Service, the agency that provides exit poll data that
might have been used as a cross-check against computerized returns, was
coincidentally knocked out of service by an unidentified "massive computer
glitch" on election day as well.  Many of the election problems (including
those at VNS) occurred in spite of hundreds of millions of dollars (soon to
be billions) spent on new equipment.  If, say, an automobile manufacturer
experienced numerous major "glitches" in a product line, the public would be
clamoring for a recall.  Yet everyone seems quite content with these
computerized voting systems, and the press continues to blame the poll
workers, even in Broward County where they spent an additional $2.5M on
training and staff for election day and still managed to misplace some
103,000 votes.  Characterizing these serious problems as "glitches" makes it
seem like poor engineering and incompetent election system management is
somehow acceptable to the American public.  It's not.  A massive recall of
these inappropriate and defective devices must be started immediately.  Call
or write to your Secretary of State and complain.

Rebecca Mercuri


<"Steven Hertzberg" <>>
Mon, 11 Nov 2002 23:32:23 -0800

I recently launched, which is an online service that allows
voters to immediately report voter machine errors, polling place problems
and other voting obstacles. VoteWatch is quickly becoming the central
repository of election 2002 discrepancies.

I would appreciate it if you could browse VoteWatch and add comments as
you see fit.

Steven Hertzberg, Founder, VoteWatch, San Francisco, CA

Election integrity in general

<"Peter G. Neumann" <>>
Mon, 11 Nov 2002 11:44:40 PST

With PAPER BALLOTS, there is the accountability of the paper ballots
themselves, which can potentially be examined for serial number consistency,
watermarks to hinder the introduction of phony ballots, fingerprints, etc.

With LEVER MACHINES, it is true that they can be rigged to fail to record
votes for one candidate, but it is unlikely that such a vote could be
misrecorded for another candidate (assuming the standard ballot face is in

With PUNCH-CARDS and MARK-SENSE CARDS, there is the evidence of the cards
themselves.  Although tampering with the cards is obviously possible
(substitution, invalidation by internal fraudulent overvoting by election
officials, the cards provide an audit trail).

With the ALL-ELECTRONIC SYSTEMS that exist today (with the exception of the
Avante system that now includes the Mercuri Mechanism as a standard), there
which itself can be fraudulent, given proprietary code, Trojan horses and
trapdoors, etc.  Recounts are meaningless if the data is already corrupted
when stored.  Furthermore, many of these machines are configured by
vendor-supplied personnel, with potential access privileges for the system
or the accuracy of the configuration.

Every one of these systems has potential problems.  But a world-wide
consensus seems to suggest that a single piece of paper with a single set of
candidates is the most reliable method, because poll watchers can see what
is happening.  How do you watch the bits moving around inside an
all-electronic system?

Re: Lynn Landes's analysis of the 2002 Elections (RISKS-22.37)

<"Peter G. Neumann" <>>
Mon, 11 Nov 2002 7:33:43 PST

I received several responses strongly offended by the inclusion of Lynn
Landes's piece in RISKS-22.37.  I deeply regret if that item offended you.
I included it not primarily for its claims (whether accurate or not), but
rather for the implications of accidents and misuses, potential and actual,
publicized or kept secret, detected and undetected, that we have been
discussing in RISKS for many years.  Much of her piece is actually relevant
here, although I think her message may have been weakened because of certain
statements that were more political than the objective reporting that we try
to make the expected norm in RISKS.

As I see it, the most important question we should be asking is this:

  With respect to those of you who voted last week using an all-electronic
  voting machine, is there any meaningful assurance that the vote you cast
  was correctly recorded — that is, any assurance that there were no
  misconfigured systems, accidents, internal fraud, etc.?  For almost all of
  the existing electronic systems (with the exception of one that actually
  incorporates the Mercuri Mechanism — namely, Avante), the answer is an
  UNEQUIVOCAL NO.  This is an untenable situation if you believe in election
  integrity, IRRESPECTIVE of your party affiliations.  PGN

Re: Lynn Landes' analysis of the 2002 Elections (RISKS-22.37)

<"Rebecca Mercuri" <>>
Mon, 11 Nov 2002 00:02:11 -0500

First of all, it's more like $4B, Lynn wasn't including the additional sums
for training and so on that were also authorized by the Help America Vote
Act bills.  But even $4B is just the tip of the iceberg.

Over in Broward County Florida, where they just spent around $18M for brand
new touch-screen voting machines they found that they had to pay an
additional $2.5M just to run the November election, because the machines
couldn't be set up and monitored by the regular poll workers who are
normally hired.  Now if Broward has to pay this sum 2 times a year for the
next decade, how does this Help America Vote? They could print up an
easy-to-read paper ballot for every man, woman, and child in the entire
County for well under $1M and they would probably not discover missing
cartridges 2 days later with 103,000 missing votes on them (after being
monitored by the Republicans who came down from the state to help the
Democrats out with the election).  A box of paper ballots is a lot harder to
lose (not that it hasn't been done) than a small voting cartridge.  And the
paper ballots can be read by hand if the computers are misprogrammed (like
they seem to have been in a lot of US counties this past November).

Over in Texas, I don't really see how it's could be the Democrats' fault
when they discovered their brand new touchscreen voting machines lighting up
for the Republican candidates over in Dallas last week.  When the Democrats
sued to stop the machines being used, the Republicans said "we haven't had
any complaints."  Sure, because they didn't light up for Democratic
candidates when the Republicans were pressed.  I wonder why? Misalignment?
Conveniently, none were misaligned in the other direction.  Hmmm.

If you really look at your history books, you'll see all sorts of election
fraud in all sorts of places.  We had things like literacy tests.  And we
had to pass amendments to the US Constitution so that gender and race
wouldn't be used to prevent citizens from voting.  There's plenty of
election fraud too.  Tip O'Neil (the late Speaker of the House) described in
his autobiography (after he retired) a scheme whereby paper ballots were
routinely substituted (called chain voting).  It's not any particular party
that is to blame, it's just that vote stealing is as much a tradition in the
USofA as apple pie.  Unauditable voting machines just make it even easier to
cover up.

Folks can continue to stick their heads in the sand and pretend this hasn't
happened, doesn't happen, and won't happen.  Or they can face reality and
then work to adopt systems that will REDUCE and ELIMINATE election fraud,
rather than encourage and enhance the ease of doing it.

Please read the additional material and links on my website over at and join the effort to save democracy
before it's too late.

R. Mercuri

Re: Zogby poll failures (Landes, RISKS-22.37)

<Henry Baker <>>
Sat, 09 Nov 2002 14:56:54 -0800

There was a long article in the *Wall Street Journal* with lots of quotes
from Zogby.  Apparently, the problem is that they depend upon telephone
solicitation to find out how people are voting, and people are using caller
ID to screen out the calls.  There is also a significant rise in the
percentage of cell phones, for which spam telephone calls aren't allowed.
Also, women are not as at home as they used to be, so there's no one to
answer the phones.

So there's no need to attribute malice to the bad polling data, when simple
incompetence will do just fine.

  [... and an inherently flawed methodology?  PGN]

REVIEW: "Manager's Guide to Contingency Planning for Disasters",

<Rob Slade <>>
Tue, 12 Nov 2002 08:01:03 -0800
  Kenneth N. Myers

BKMGTCPD.RVW   20021012

"Manager's Guide to Contingency Planning for Disasters", Kenneth N. Myers,
1999, 0-471-35838-X, U$55.00
%A   Kenneth N. Myers
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1999
%G   0-471-35838-X
%I   John Wiley & Sons, Inc.
%O   U$55.00 416-236-4433 fax: 416-236-4448
%P   234 p.
%T   "Manager's Guide to Contingency Planning for Disasters"

The preface clearly states that this book promotes a "what if," worst case
scenario approach to contingency planning.  It presents the development of
detailed business continuity procedures as a waste of time, and assumes that
minor mishaps can be handled within the limits of the methods meant to deal
with the worst case.  Although this flies in the face of conventional BCP
(Business Continuity Planning) wisdom, in all but the last item Myers makes
a convincing case.  The emphasis is on avoiding the "how long can you do
without" type questions so common in BCP, and more directed towards "what
alternatives can we use when we have to do without" answers.

Chapter one is an introduction, and this is obviously not your average DRP
(Disaster Recovery Planning)/BCP book, since it includes items such as a
"disaster life cycle."  "Defining The Problem" doesn't really happen in
chapter two, although one could say that the problem is clarified to a
certain extent.  The text is a bit repetitive, reiterating several times
that too many companies concentrate on recovering the technology before the
business.  There is more traditional look at BCP in chapter three, since it
concentrates on awareness and education, and provides a good, basic overview
of selling the contingency planning idea to management.  Chapter four
reviews project planning, although primarily from an outsider perspective,
like that of a consultant.  From this viewpoint, it offers very practical,
helpful advice.  Business impact analysis is presented in chapter five,
although, again, the text retails content already stated elsewhere.  The
implementation strategy, in chapter six, primarily covers dealing with
various layers of management.  The Myers process of plan development is
presented in a structured form in chapter seven, although most points have
been made already.  Chapter eight again presents a more traditional, and
very short, view, this time of plan maintenance, education, and testing.
The guidelines for internal consultants and consulting firms, in chapter
nine, form a nice checklist.

There are a number of appendices, of which B (with a sample contingency plan
and examples of alternative methods is particularly useful.  A broader list
of alternative methods is suggested in Appendix C.

While some may dismiss it as a kind of cost/benefit reductio ad absurdum,
Myers' method does raise issues that need to be considered.  This contrarian
view should be more widely considered by the BCP community.

copyright Robert M. Slade, 2002   BKMGTCPD.RVW   20021012

REVIEW: "High Technology Crime Investigator's Handbook",

<Rob Slade <>>
Wed, 13 Nov 2002 08:05:55 -0800
  Gerald L. Kovacich/William C. Boni

BKHTCRIH.RVW   20021012

"High Technology Crime Investigator's Handbook", Gerald L.
Kovacich/William C. Boni, 2000, 0-75067806-X, U$34.95
%A   Gerald L. Kovacich
%A   William C. Boni
%C   2000 Corporate Blvd. NW, Boca Raton, FL   33431
%D   2000
%G   0-75067806-X
%I   Butterworth-Heinemann/CRC Press/Digital Press
%O   U$34.95 800-272-7737
%P   298 p.
%T   "High Technology Crime Investigator's Handbook: Working in the
      Global Information Environment"

The preface makes the somewhat contradictory statement that the book
is "not a `how to investigate high-technology crime' book but provides
basic information for someone ... new to the profession."  This odd
assertion may be partially explained by the fact the text is very
heavy on career and organizational matters, and extremely light on
functions and technology.  It would appear that any technical issues
are seen as "how to," while corporate politics are basic information.

Part one provides an introduction to the high technology crime
environment, in broad overview.  Chapter one is a pedestrian
presentation of high technology.  The text is very disjointed (a
discussion of government departments using high-tech crime as a
justification to fight for increased budgets is immediately followed
by a minor example of online harassment), and, despite the promotion
of the importance of technical information and tools for crime
investigation, the technical material is weak, simplistic, and oddly
handled.  For example, a subjective and imprecise measure of data
volume (a book) is used to calculate ridiculously "accurate" (in terms
of significant figures) store sizes for a variety of obsolete systems.
There is a superficial and pessimistic look, in chapter two, at the
"Global Information Infrastructure."  Again, the technical content is
insubstantial: mention of lists of top level domains makes reference
to using a search engine to find them, but the instructions consist of
"well, you're an investigator, investigate."  This seems to sum up the
attitude to providing necessary information.  High-technology
miscreants, in chapter three, are reasonably well described, with only
minor errors.  There is an internal contradiction when the text lumps
phone phreaks in with hackers, and then treats them as distinct, and
the book retails the Cap'n Crunch myth, whereas Draper himself points
out that he was taught about the 2600 hertz whistle.  There is a
slight overemphasis on the importance of "professional hackers."
Chapter four's coverage of attack technology is jumpy and fragmented.
An "ISP attack" makes little sense, while spoofing is narrowly defined
to include only one specific type of session hijacking.  Three pages
of diagrams of PBX (Private Branch eXchange) attacks explain nothing.
Protection technology, in chapter five, is defined as access control,
accountability, and audit trails, followed by a random grab bag of
security ideas.

Part two is an overview of the high technology crime investigation
profession or unit.  This material is basically recycled from "The
Information Systems Security Officer's Guide," by one Gerald L.
Kovacich.  There are a large number of very short chapters.  Chapter
six is a generic promotion for career planning, with added, but oddly
irrelevant, details.  Marketing yourself, in terms of preparation of
resumes and for interviews, is in chapter seven.  Chapter eight
describes the perfect, and therefore fictional, company to work for.
This is followed by the perfect job description in nine, the perfect
investigative unit in ten (with some brief staff job descriptions in
eleven), and the perfect mandate (plus an excessively detailed example
of a PBX survey) in chapter twelve.  Chapter thirteen suggests that
you develop contacts, but, somewhat in opposition to the career
building emphasis earlier, this concentrates on "sources" or
informers.  The development of metrics, in chapter fourteen, seems to
be primarily concerned with the creation of bar charts to show
management that you've been working.  The "Final Thoughts," in chapter
fifteen, are mostly vague opinions.

Part three is entitled high technology crimes and investigations.
Chapter sixteen has various stories, with almost no detail, about
crimes and computers, few of which are relevant to corporate
investigations.  There is some useful advice, in chapter seventeen, on
the initial seizure and chain of custody of computer equipment, but
the discussion is limited to data recovery.

Part four is supposed to be about challenges to high technology crime
investigation, but chapter eighteen, the only section, simply contains
more vague thoughts.

For someone trying to build a career via political maneuvering, this
book can provide some useful tips.  For someone trying to investigate
a crime involving computers, it might be a bit frustrating.

copyright Robert M. Slade, 2002   BKHTCRIH.RVW   20021012    or

Please report problems with the web pages to the maintainer