The RISKS Digest
Volume 22 Issue 36

Thursday, 7th November 2002

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


CNN needs some fact-checkers on electronic-election article
Rebecca Mercuri
The 2002 general election
Dominant lottery vendor cracked
Conrad Heiney
Winning lottery tickets can be determined before purchase
Jeremy Epstein
Robot malpractice?
Paul Saffo
Computer problem caused fatal pipeline rupture
Paul Hirose
Opera confused about hemispheres
David Skillicorn
Set your clock to 1984
Toby Gottfried
Scoping out the future
'British' spelling
Michael Bacon
NSF Trusted Computing Program
Carl E. Landwehr
REVIEW: "The Total CISSP Exam Prep Book", Peltier/Howard
Rob Slade
REVIEW: "Information Security", Donald L. Pipkin
Rob Slade
Info on RISKS (comp.risks)

CNN needs some fact-checkers on electronic-election article

<"Rebecca Mercuri" <>>
Wed, 6 Nov 2002 08:59:29 -0500

The 5 Nov 2002 article "Electronic elections: What about security?"
( on by
Jeordan Legon contains a number of factual errors and misrepresentations. To
CNN's credit, they did attempt to contact me for an interview on 11/4 for
that article, but their tight deadline should be no excuse for not getting
the facts straight.

The article states: "the voting software and hardware has to pass strict
security standards imposed by the Federal Election Commission and the
National Association of State Election Directors."  This is untrue.  ALL
voting systems newly deployed for the 2002 election were inspected to the
OBSOLETE 1990 FEC recommendations.  Even these were only adopted by 2/3 of
of the States.  The 2002 standards must be adopted prior to use and it is
unclear when (or in some States if) this will happen.

Mark Beckstrand, a Sequoia Voting Systems VP, was quoted in the CNN article
as saying: "Show me somebody who has gotten into our software. We haven't
lost or misplaced or ever been accused of not having 100 percent accuracy."
Well, first of all, experts, such as myself, are prevented from looking at
Sequoia's equipment because it is sold under restrictive trade-secret
agreements making it a felony if a purchaser (such as a County Board of
Elections) provides it for internal inspection, except under court order.
For a court case in Palm Beach County, we have tried for months to obtain a
Sequoia machine (for which we have numerous affidavits from voters
indicating problems) in order to perform an internal inspection, and have
even offered to purchase a machine from the County outright, but so far have
been barred from doing so.  It makes it really hard to show if their product
has been tampered with, if it's a felony to inspect it.

In addition to our case in Boca Raton, where there was an 8% "undervote"
(votes missing compared with number of voters who signed in at the
election), there are other instances of problems involving Sequoia
equipment.  Susan Bernicker videotaped numerous Sequoia machines used in a
Louisiana election that showed different names on the confirmation screen
than the candidate buttons that were pressed.  Over in New Jersey in 2000, a
brand new Sequoia machine turned up zeros for some candidates in a local
election.  Elsewhere in Palm Beach Co. in March 2002, Sequoia systems
registered a 3% undervote in an election where only 2 candidates were
running in only 1 race.  It was conjectured (by Election Supervisor Theresa
LePore) that people came to the polls and deliberately did not vote for one
of the candidates, but this seems rather unlikely.

Sequoia seems to have a short memory when it comes to court cases and
missing votes.  There might be a good reason for this.  According to the San
Francisco Business Times (11/19/2001), their Southern Regional Sales
Manager, Phil Foster, was indicted in Louisiana for "conspiracy to commit
money laundering and malfeasance" involving kickbacks to Jerry Fowler, the
Louisiana state commissioner of elections, now serving a prison term for his
involvement in a decade-long kickback scheme with Sequoia. Foster sold
machines in Lousiana and Florida, and testified as a technical expert
against Bernicker in her Baton Rouge case.

I hope CNN can be encouraged to run a correction or follow-up on their
article.  The public needs to know the rest of this story.

The 2002 general election

<"Peter G. Neumann" <>>
Wed, 6 Nov 2002 9:38:58 PST

In yesterday's voting, there were numerous irregularities, as usual --
although perhaps fewer visible ones than had been anticipated.

* Palm Beach and Broward in FL had reports of voters touching the screen for
McBride and having the vote showing up for Bush.  The vendors and voting
officials claim that that error was quickly "fixed".  Remember that "fix"
has two meanings.  For example, check out the Matt Drudge report at

* In Broward County, a programming error left out 34,000 votes, because the
combination of early votes exceeded a preprogrammed maximum.  Also, 70,000
absentee and Spanish-language ballots were missing from the reported
turnout, although they were included in the vote totals.  These were later

* In Houston, where the all-electronic voting machines have rotary dials
instead of touch-screens, voters in five precincts had their attempts to
vote a straight party ticket rejected.  (It happens to have been the
Democratic ticket that was not accepted.)

* In Georgia, newly using touch-screens, some voters reported their votes
being recorded for other candidates.

* In Pulaski County, Arkansas, half of the voters had not been assigned
precincts after redistricting and were denied being able to vote despite
having legitimate registration cards.

* San Francisco failed to deliver enough ballots to several precincts, where
voting continued until midnight.

* In Nebraska, Charlie Matulka (a long-shot Democratic candidate) reports
having been given a paper ballot already premarked for his Republican

* In South Carolina, there were some reports of long waits in line.
Elsewhere, people turned away from the polls in various places even with
valid identification.  Also, reports of lever machines dropping votes.

NOTE: Andrew Klossner sent in a correction on Andrew Morton's item in
RISKS-22.35 on absentee voting in Oregon: the ballot he gets is just an
unlabeled punch-card in which he has to punch out the chad for the desired
holes.  (Same for me in Santa Clara County, California.  PGN)

The general consensus among election officials and voters seems to be that
the all-electronic machines are a great improvement, relatively easy to use,
and inherently able to prevent overvotes.  The general consensus among
knowledgeable computer security experts seems to be that almost all of the
existing all-electronic systems could relatively easily be rigged by
internal fraud in the software and external manipulation of the local
polling-place configurations and could also be subject to undetected
internal errors, because of an almost complete absence of meaningful audit
trails and independent verification of the consistency of votes tabulated
with votes cast.  Just because an all-electronic machine looks like it might
be working, how do you *KNOW* it is doing the right thing?  From a RISKS
perspective, a perceived potential lack of integrity is a serious obstacle
to democracy.

Dominant lottery vendor cracked

<"Conrad Heiney" <>>
Wed, 6 Nov 2002 10:45:47 -0800

According to the *Wall Street Journal*, 6 Nov 2002, the world's dominant
operator of national and state lotteries has warned of a possible compromise
of its system for patching scratch-ticket winners.  The company referred to
an "operational and technical issue" in which the bar code used on the
ticket had been cracked. The article quotes an unnamed source who claims
someone had "decoded the algorithm" for the bar codes.

Setting aside the RISK of whichever algorithm they chose, and not knowing
whether this was an inside job, it's interesting to contemplate what other
technology based industries have become so thoroughly centralized that one
crack can cause a worldwide mess like this.,,SB1036548523995761668,00.html?mod=3Dhome_whats_news_us,,SB1036548523995761668,00.html

Conrad Heiney <>

Winning lottery tickets can be determined before purchase

<"Jeremy Epstein" <>>
Wed, 6 Nov 2002 17:14:40 -0500

According to,
GTech (the largest lottery operator) has determined that the scratch-off
lottery tickets can be determined before doing the scratch-off operation.
"A corrupt ticket salesperson that knew the codes theoretically could pick
out the winners on a sheet of tickets and cash them, selling only the losers
to the general public."

Sounds like the serial/code number isn't being encrypted or otherwise
protected before being printed...

Robot malpractice...

<Paul Saffo <>>
Wed, 06 Nov 2002 20:30:16 -0800

In an surgical operation to remove a cancerous kidney at St. Joseph's
Hospital in St Petersburg, a three-armed da Vinci robot (made by Intuitive
Surgical Inc.) was being controlled by an experienced doctor from a
3-dimensional computer screen, 10 feet away.  The robot technology for
cutting blood vessels is supposed to decrease bleeding, pain, and recovery
time.  Unfortunately, the patient's aorta and another blood vessel were cut,
and this went unnoticed for an hour and one-half.  Two days later, the
patient died of complications.  The developer found no mechanical problems,
and absolved the robot, which had been used successfully in 10 similar
operations.  [Source: Patient dies in robot-aided surgery; Such robots are
considered a major surgical breakthrough, but something went wrong, Graham
Brink, *St. Petersburg Times*, 30 Oct 2002; PGN-ed]

  [Classical case.  The vendor absolves the technology, implicating the
  doctor.  Others blame the robot.  What about the doctor-machine interface?

Computer problem caused fatal pipeline rupture

<Paul Hirose <>>
Wed, 06 Nov 2002 06:43:40 GMT

The NTSB (U.S. National Transportation Safety Board) has released its report
on the pipeline accident at Bellingham, Washington, in June 1999. Three
people were killed when a 16-inch pipeline ruptured and released about
237,000 gallons of gasoline, which then ignited.

One link in the chain of events leading to this accident was the pipeline
company's SCADA (supervisory control and data acquisition) system. Just
before the rupture, there was a pressure surge in the pipeline. This was a
common occurrence, unrelated to the SCADA. But through rotten luck the surge
hit right in the middle of an extreme slowdown in the SCADA computer. Since
the SCADA controlled the pumps and valves along the pipeline, the control
room operator was unable to relieve the pressure. Had the computer responded
promptly to his commands, pressure probably would have remained within the
pipeline's burst strength.

A pair of DEC VAX computers (one active, one standby) ran the SCADA
software. Investigators attempted to duplicate the system slowdown but were
not successful. Nor were any flaws uncovered in the hardware or
software. However, there were flaws in the company's computer procedures.

1. All computer operators used the same login. The account had system
administrator privileges, including unlimited authority to hog resources.

2. Modifications to the SCADA historical database were performed on the same
computer that was in control of the pipeline. Just before the SCADA became
unresponsive, the system administrator had added some database records. That
probably triggered the SCADA lockup, concludes the NTSB report.

3. Although the system administrator monitored error logs to check the
progress of his database work, and began to see errors 18 minutes before the
rupture, he did not warn the pipeline control room or his
supervisor. Instead, he left the computer room for about 15 minutes.

4. Anyone with an account could log in to the SCADA through a dialup
connection. However, the fact that the system troubles began shortly after
the database modification, and stopped when the new records were deleted,
suggested that an intruder was not to blame.

In the wake of the accident, the pipeline company rectified these problems.

Executive summary and complete accident report are on line:

Opera confused about hemispheres

<David Skillicorn <>>
Thu, 07 Nov 2002 08:54:44 +1100

This morning (local time), the web browser Opera is serving Australians with
banner ads intended for Austria.

The relatively small difference in syllables has been the cause of much
misdirected physical mail over the years (puzzling to the Austrians who
spell their country completely differently). Now the small difference
between .au and .at seems to be causing the same problems in the cyberworld.

Set your clock to 1984

<"Toby Gottfried" <>>
Wed, 6 Nov 2002 11:17:32 -0800

Along the lines of the FBI-bugs-libraries reference in RISKS 22:35
there is also this article about cooperation between ISPs and the prying
eyes of government on e-mail.

Looks like Orwell should have called his book "2004".

Scoping out the future

<"NewsScan" <>>
Thu, 07 Nov 2002 09:26:47 -0700

Yale computer scientist David Gelernter is glad that the Microsoft trial is
behind us, because "operating systems are lapsing into senile irrelevance,"
and we need to move on to the future. And what will the future be all about?
"Every piece of digital information you own or share will appear (in the
near future) in one universal structure" — one to which you'll have access
from any Net-connected computer anywhere. "I have time for only one screen
in my life," says Gelernter. "That screen had better give me access to
everything, everywhere." The universal structure, dubbed Scopeware, will be
a narrative, 3D stream of electronic documents flowing through time.  "The
future (where you store your calendar, reminders, plans) flows into the
present (where you keep material you're working on right now) and on into
the past (where every e-mail message and draft, digital photo, application,
virtual Rolodex card, video and audio clip and Web bookmark is stored, in
addition to all those calendar notes and reminders that used to be part of
the future and have since flowed into the past to be archived forever)."
[*The New York Times*, 7 Nov 2002; NewsScan Daily, 7 November 2002]

'British' spelling (in "Software leaves ..., RISKS-22.35)

<"Michael \(Streaky\) Bacon" <>>
Wed, 6 Nov 2002 06:48:00 -0000

PGN, The RISK here is that of assuming 'British' spelling exists — it is
the Oxford ENGLISH Dictionary for spelling and the Queen's ENGLISH for
pronunciation. <GRIN>

Simply put, Britain comprises the 'home countries' of England, Northern
Ireland, Scotland and Wales.  There are other island territories immediately
offshore that are part of Britain (eg. the Scilly Isles) and others that are
part of the United Kingdom but not of Britain (e.g., the Channel Islands).

  [LATER CORRECTION: Northern Ireland is NOT a part of Great Britain, but is
  a part of The United Kingdom of Great Britain and Northern Ireland,
  as of 1927.  Thanks to John Carlyle-Clarke for this fact!  PGN]

There is no 'British' language per se — the (recent — i.e., immediately
pre-AD) native majority tongues of Great Britain were basically Celtic,
French and Latin (by today's definitions) — English arose as a combination
of these and other, imported, languages.  Today, basically, the native Welsh
language is Celtic, the native Scots language is Celtic, the native Irish
language is Celtic, and the native English language is English — except for
Cornwall (a county) where their native language is Celtic.  The individual
country variation of the Celtic language is frequently spoken in Wales and
in the Highlands of Scotland (and in Cornwall).

I was raised in Jersey (the Channel Island, not the State).  This is part of
the United Kingdom, but not the European Union (confusing isn't it?) where I
grew up speaking 'Jersey patois' (a form of Norman French) and English.

So. 'English spelling' - yes, 'British spelling' - no.
With "tongue" slightly in cheek,  Michael (Streaky) Bacon

NSF Trusted Computing Program

<"Landwehr, Carl E." <>>
Tue, 5 Nov 2002 17:57:47 -0500

The next proposal deadline for NSF's continuing Trusted Computing program is
Wednesday, December 4, 2002.  Links to the program announcement, as well as
a summary description and list of the initial awards under NSF's Trusted
Computing program can be found on NSF's web.  NSF has changed its Web
infrastructure recently, so the direct URL for the Trusted Computing Program
is a bit lengthy:
  ?pgm_pims_id=5158&pgm_supp_id=10091&loc=ccr&pub_id=5370 [split]

Alternatively you can visit:
and then select "funding opportunities" and then select "trusted computing".

If you are in a position to conduct research in this area, I encourage you
to consider submitting a proposal this year. NSF focuses on funding research
at universities and not-for-profit organizations. I also hope you will
consider helping me staff the review panels for the proposals that are
submitted.  My warm thanks to all who proposed and who participated in the
review process this past year.

Carl Landwehr, Director, Trusted Computing Program
National Science Foundation  1-703-292-8936

REVIEW: "The Total CISSP Exam Prep Book", Peltier/Howard

<Rob Slade <>>
Wed, 6 Nov 2002 04:34:19 -0800

BKTCIEPB.RVW   20020823

"The Total CISSP Exam Prep Book", Thomas R. Peltier/Patrick D. Howard,
2002, 0-8493-1350-3, U$59.95
%A   Thomas R. Peltier
%A   Patrick D. Howard
%C   920 Mercer Street, Windsor, ON   N9A 7C2
%D   2002
%G   0-8493-1350-3
%I   Auerbach Publications
%O   U$59.95 800-950-1216
%P   287 p.
%T   "The Total CISSP Exam Prep Book: Practice Questions, Answers, and
      Test Taking Tips and Techniques"

Both the preface and the back cover copy stress the assertion that "until
now, [CISSP (Certified Information Systems Security Professional)
candidates] were not afforded the luxury of studying a single, easy-to-use
manual."  Despite the reservations that I may have about the quality of
their works, this statement must surely be a shock to Shon Harris
(cf. BKCISPA1.RVW), Mandy Andress (cf.  BKCISPEC.RVW), S. Rao Vallabhaneni
(cf. BKCISPET.RVW), and Ronald Krutz and Russell Vines (cf. BKCISPPG.RVW)
and Carl Endorf (wait for it).  (Well, I suppose that, technically,
Vallabhaneni's is *two* books ...)

It would be difficult to say that you could use this volume for study,
either.  It doesn't actually have any tutorial material, other than some
advice on how to write the exam.  Some of the tips are outdated, and most of
the rest of the content is rather generic, such as the suggestion to eat a
hearty breakfast before you go.  (I'd suggest that you go easy on the
recommendation to drink lots of coffee before you head off: some of the
proctors can be pretty sticky about letting you go to the washroom.)

What it does have is ten chapters (one for each of the CBK [Common Body of
Knowledge] domains) of twenty five "exam" questions each.  That's twenty
five questions for physical security (the smallest domain) and twenty five
questions for telecommunications (the largest).  The questions in the
chapters have explanations of which answers are right and which are wrong.
Then there is a sample "exam," and then the same exam with the answers.

Sample exams are highly sought after: it makes sense to know the type and
style of questions that you may encounter on the exam.  There is only one
problem: (ISC)^2 doesn't hand out sample exams.  In fact, they guard the
exam questions rather closely.  The sample exams at are a staple
in CISSP study groups, and there is a commercial outfit that will sell you a
set that they have made up.

Essentially, of course, this is what Peltier et al. have done.  So, the
question is, how close are the sample questions in this book to the real

The answer, unfortunately, is not very.  Different people worked on the
questions for different chapters, so the level of success varies.  (Security
management has possibilities, telecommunications is rather ghastly.)
Ultimately, though, these questions are not representative of what you will
find on an actual CISSP exam.  Those familiar with Bloom's Taxonomy of
questions will know that you progress from simple questions of fact through
synthesis of multiple facts through analysis based on synthesis to a level
of judgment or critical thinking.  Most of the questions a candidate will
encounter on the CISSP exam are at the analytical or critical levels.  Too
many of the questions found in most sample exams are at the simple factual
level.  The questions in this current work do move beyond the simplistic,
but they tend to turn on specific wording in some very weak references,
rather than the principles and concepts encountered in the CISSP exam
itself.  (Appendix A is a bibliography used in the creation of the
questions, and it is a decidedly poor one.)  Some questions and answers are
flatly wrong (planting malicious software is definitely *not* a passive
attack).  Others may have some point to their creation but get confused.
One question states that a certain answer is not correct because the
technology is not an encryption algorithm, but the "correct" answer isn't an
algorithm either.

This book may give you a very rough idea of the types of questions you may
encounter, and the range of topics you may need to know.  If you rely on it
to prepare you for the exam, however, you may be in for a rude shock.

copyright Robert M. Slade, CISSP, 2002   BKTCIEPB.RVW   20020823    or

REVIEW: "Information Security", Donald L. Pipkin

<Rob Slade <>>
Thu, 7 Nov 2002 07:45:52 -0800

BKISPTGE.RVW   20020823

"Information Security", Donald L. Pipkin, 2000, 0-13-017323-1,
%A   Donald L. Pipkin
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2000
%G   0-13-017323-1
%I   Prentice Hall
%O   U$39.99/C$60.00 +1-201-236-7139 fax: +1-201-236-7131
%P   364 p.
%T   "Information Security: Protecting the Global Enterprise"

It takes quite a while to figure out what Pipkin is trying to do in this
book.  Ultimately, there is coverage of some of the important basic concepts
involved in information security.  However, the text as a whole is both
confused and confusing.

The prologue tells us that business is changing and chaotic, and that
information is of prime importance.  The introduction takes a quick run
through a few of the basic security concepts, with an emphasis on business
continuity planning.

Phase one of the book is entitled "Inspection," but the prologue lists some
items of concern in risk analysis.  Chapter one, called "Resource
Inventory," is concerned with data classification.  It touches on, but does
not really discuss, the orthogonal nature of classification schemes when
confidentiality, availability, and integrity must be considered.  The
material is sparse, and, while there are some indications of forward
references to later chapters, those chapters do not get down to practical
details either.  Chapters two to six begin to examine the concepts of
threats (concentrating, very poorly, on malicious software), loss analysis
(many examples, little of substance), vulnerabilities, safeguards, and

Phase two, on protection, seems to be trying to expand chapter five, but
really just repeats prior material.  Concepts touched on include access,
identification, authentication, authorization, and accountability.  Mixed in
are the not-quite-related topics of availability, accuracy, confidentiality,
and administration.

Phase three looks at intrusion detection, with chapters on intrusion types,
methods, process, and detection methods.  It isn't very useful.

Phase four reviews incident response, but rather vaguely.

Phase five concerns the post-mortem reflection.  The chapter on
documentation has some useful material on the contents of after-action
reports, but the rest of the content is unfocused and generic.

It is not quite true to say that the book is unstructured: it has a
structure, but either does not follow it, or does not usefully employ it.
Those without a security background will find it hard to build a useful or
working framework from the material in this book.  Those with such a
background will eventually find that the parts of the book do fit neatly, if
not logically, into the common framework.  However, those with such a
background will have no need for this work.

copyright Robert M. Slade, 2002   BKISPTGE.RVW   20020823    or

Please report problems with the web pages to the maintainer