The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 83

Thursday 7 August 2003

Contents

Software violates stock ownership limits
Bill Hopkins
Photoshop file contains more than the visible images
Nick Brown
Virginia Identity Theft Passport
James Moyer
Hand-held devices easy to hack
Monty Solomon
What Time Is It?
Conrad Heiney
Pentagon's online trading market plan draws fire
NewsScan
New online futures market bets on next White House scandal
NewsScan
Voting tech problems galore in Mississippi
Cathy Hayden via Kim Alexander
Electronic voting - once again...
M Baumeister
Why e-voting is a non-starter: Risks with e-voting
Bill Thompson via Chris Leeson
Hospital records stuck in memory stick
Brett McCarron
Re: Domain names
Jay R. Ashworth
Sidney Markowitz
Paul Schreiber
Tech exodus: 500,000 U.S. jobs moving overseas
NewsScan
PFIR Forums Adds "Voting Systems" Discussion Group
Lauren Weinstein
REVIEW: "A Guide to Forensic Testimony", Fred Smith/Rebecca Bace
Rob Slade
Info on RISKS (comp.risks)

Software violates stock ownership limits

<"Bill Hopkins" <whopkins@wmi.com>>
Mon, 4 Aug 2003 15:29:40 -0400

*The New York Times* reported Thursday that a Connecticut money manager
inadvertently increased his holdings in two medical technology companies
despite agreeing with both not to do so.  He now owns 75% of one of the
companies, whose CEO said he told them "three layers of software somehow
failed" after he agreed in April to limit his investment at the 20%
level. The other company went from 20% to 33%.  Nobody noticed anything
wrong until mid-July, despite steady buying.

The money manager is in apparent violation of SEC reporting requirements,
which carry regulatory penalties.  The companies face a protracted period of
uncertainty, as the positions are slowly unwound; one has a stock issue
planned for this week.  The institutional investors in the funds won't be
able to unload it if the stock prices fall, and other investors in the
companies who bought during the same period may wind up with losses if the
stock prices prove to have been inflated.

For the money manager, some obvious RISKs :
* Allowing computer software to run your business.
* Layering software (no word, but I'll bet it's from different vendors).
* Not sending the key memo to all three layers of software.
* Checking your total holdings every three months.

For companies, the RISKs are less clear.  It's not clear whether they had
any way of finding out who was actually buying their stock, and that the
price run-up was anything other than a general market recovery or
recognition of value.

For investors, well, we all know NASDAQ is a crapshoot in the dark, don't
we?  (Big Julie will now remember where the spots used to be on the dice you
just threw.)

The article, "Investor Says He Bought Stock and Didn't Know It," is at
http://www.nytimes.com/2003/07/30/business/30PLAC.html
(registration required, free access ends 8/06)


Photoshop file contains more than the visible images

<Nick Brown <Nick.BROWN@coe.int>>
Tue, 5 Aug 2003 20:45:02 +0200

A US TV presenter posted some artistic close-ups of her face.  Using
Photoshop before saving, she had apparently cropped pictures that were taken
while she was posing topless.  This enabled the crop to be undone.

This reminds us of what can happen in Word when you do a "regular" save.
Apparently, Microsoft Word isn't the only application that stores more than
what you see.

The subliminally-R-rated URL was previously on-line
  http://www.shackspace.com/[...]
but the link has been taken down, presumably due to heavy traffic from
referrals from www.cruel.com.

  [Recovering the hidden information must be known as a "cropshoot".  PGN]


Virginia Identity Theft Passport

<James Moyer <james@moyer.com>>
Mon, 04 Aug 2003 16:47:58 -0400

As part of my study of photo ID documents (and the theory for explaining how
they work, the current version of my paper is at
http://www.njlicense.org/sdt.pdf), I've been trying to figure out the trust
failure portion of Security Document Theory.

Trust failure occurs when a document is no longer believed to be valid. Too
much counterfeiting or other security problems causes too many bad documents
to be in the wild, though I believe that institutions can turn their backs
on ID documents, which sometimes occurs in countries that have national ID
cards. (People from several different countries, such as Italy and
Argentina, have told me that police may just decide not to trust their ID
card, and haul them in to get their identity assessed differently.)

The Virginia Identity Theft Passport is a different variation of that. The
trust has eroded from the normal documents, and now people, in certain
situations, need yet another document to back up their current assortment of
documents. (My theory considers photo ID card trust failures inevitable, as
long as the photo ID card performs multiple functions which have value to
criminals.)

I'm particularly amused by the reductio ab absurdum for the theft passport.
Instead of a separate document, why couldn't it be an endorsement on the
individual's driver's license (which would imply something like "this is a
regular John Smith, who is not *that* John Smith." Or "this is a *real*
Virginia driver's license."


Hand-held devices easy to hack

<Monty Solomon <monty@roscom.com>>
Sun, 3 Aug 2003 00:37:49 -0400

Hand-held computers used to store phone numbers, medical and credit-card
information leave millions of gadget lovers fully exposed to identity-theft
and other crimes, security experts said on Saturday.  Software is now widely
available to allow people to steal passwords and other information from
popular Palm-based computers, especially when they connect to other
computers to share data, said Bryan Glancey, a manager at wireless security
services provider MobileArmor of St. Louis, Missouri.  While millions of
people now rely on handy electronic scheduling and address books, few carry
sufficient security protections to prevent identity theft if the hand-held
is lost or stolen, as is commonplace.  Simple programs exist to uncover even
hidden data, Glancey said. Other software allows people to steal data while
remaining at some distance from the victims, he added.  ...  [Source:
Reuters, 2 Aug 2003]
  http://finance.lycos.com/home/news/story.asp?story=35114601


What Time Is It?

<"Conrad Heiney" <conrad@fringehead.org>>
Mon, 4 Aug 2003 12:47:15 -0700

*The Guardian* has a fascinating story on the ITU's Study group concerned
with time.  According to the article, divergent time systems are an
increasing problem. Conflicts between Earth time, the time provided by
atomic clocks, GPS time, and other standards raise interesting questions
about the safety of aircraft and other complex systems that may be running
on different timescales.
  http://www.guardian.co.uk/uk_news/story/0,3604,985020,00.html


Pentagon's online trading market plan draws fire

<"NewsScan" <newsscan@newsscan.com>>
Tue, 29 Jul 2003 09:23:30 -0700

The U.S. Defense Department's Defense Advanced Research Projects Agency
(DARPA) has plans to set up an online Policy Analysis Market that will allow
traders to bet on the likelihood of future terrorist attacks and political
assassinations in the Middle East. The bizarre scheme has drawn fire from
Senators Ron Wyden (D-Ore.) and Byron Dorgan (D-N.D.). "The idea of a
federal betting parlor on atrocities and terrorism is ridiculous and it's
grotesque," said Wyden, while Dorgan described the plan as "useless,
offensive and unbelievably stupid. How would you feel if you were the King
of Jordan and you learned that the U.S. Defense Department was taking bets
on your being overthrown within a year?" However, the Pentagon defended the
initiative, comparing it to commodity futures markets. "Research indicates
that markets are extremely efficient, effective and timely aggregators of
dispersed and even hidden information. Futures markets have proven
themselves to be good at predicting such things as election results; they
are often better than expert opinions." The market would allow traders to
deposit money in an account and then use it to buy and sell contracts. If a
particular event comes to pass, the bettors who wagered correctly would win
the money of those who guessed wrong.  [BBC News 29 Jul 2003; NewsScan
Daily, 29 Jul 2003]
  http://news.bbc.co.uk/1/hi/world/americas/3106559.stm

  [This plan was subsequently scrapped.  One of its proponents, John
  Poindexter (head of DARPA's IAO office), reportedly will be retiring.
  PGN]


New online futures market bets on next White House scandal

<"NewsScan" <newsscan@newsscan.com>>
Mon, 04 Aug 2003 10:58:36 -0700

In response to the Pentagon's now-discarded plans for a terrorism futures
market, academics from half a dozen U.S. universities have created an
American Action Market, which will offer traders the opportunity to wager on
the likelihood of various Washington political events, such as: Which
country will the White House threaten next? Who will be the next foreign
leader to move off the CIA payroll and onto the White House's "most wanted"
list? Which corporation with close ties to the White House will be the next
cloaked in scandal? The AAM will begin registering traders in September and
will open for business October 1. "It's quite amazing, the Pentagon and the
White House are very fertile imaginative fields these days," says one of the
AAM founders. "(The AAM project) sounds humorous, but that just shows how
far things have gone. We've entered the realm of fiction. Things are really
Dr. Strangelove." Bob Forsythe, a University of Iowa professor who helped
set up the Iowa Electronic Markets that speculate on election results, says
such futures markets can deliver fairly accurate predictions, but the
traders have to be knowledgeable. "You have to have informed traders or they
don't work very well. Who are the informed traders in an assassination
market, for example? The same is true for predicting the White House."
[Wired.com 4 Aug 2003; NewsScan Daily, 4 Aug 2003]
  http://www.wired.com/news/politics/0,1283,59879,00.html


Voting tech problems galore in Mississippi

<Kim Alexander <kimalex@calvoter.org>>
Wed, 6 Aug 2003 11:59:43 -0700

Errors - human, mechanical - mar Election Day
By Cathy Hayden, chayden@clarionledger.com [PGN-ed]
http://www.clarionledger.com/news/0308/06/melec02.html

Election officials and political party offices were flooded all day on 5 Aug
2003 with reports of voting snafus ranging from locked precincts to machine
malfunctions to voters receiving ballots with the wrong names on them.
"It's worse than it has been in 10 years," said Claude McInnis,
chairman of the Hinds County Democratic Party. "We had redistricting.
That made it much more complex."  [...]

Because Mississippi has 82 counties and there are party primaries, "164
groups of people are running the elections - the Republican county executive
committee in every county and Democratic county executive committee. There's
a lot happening," according to David Blount, spokesman for Secretary of
State Eric Clark.

[The article quotes a voter who did not recognize anyone on the ballot --
he had been given the wrong ballot, probably the fault of the poll worker.
Usual tales of a precinct that was locked for three hours (with poll workers
operating out of their own vehicles), nonworking touch-screen systems,
failure to read the initialization chip, etc.  PGN]

Kim Alexander, President, California Voter Foundation
kimalex@calvoter.org, 916-441-2494, http://www.calvoter.org


Electronic voting - once again...

<M Baumeister <MBAUMEISTR@aol.com>>
Thu, 24 Jul 2003 18:32:47 EDT

"According to election industry officials, electronic voting systems are
absolutely secure, because they are protected by passwords and tamperproof
audit logs.  But the passwords can easily be bypassed, and in fact the audit
logs can be altered.  Worse, the votes can be changed without anyone
knowing, even the County Election Supervisor who runs the election system."

... for the rest of the story:
Inside A U.S. Election Vote Counting Program  [by Bev Harris]
  http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm


Why e-voting is a non-starter: Risks with e-voting

<"LEESON, Chris" <CHRIS.LEESON@london.sema.slb.com>>
Mon, 28 Jul 2003 10:20:38 +0100

Bill Thompson has written an article on the BBC Website about the
Risks of Electronic Voting:

  http://news.bbc.co.uk/1/hi/technology/3095705.stm

He starts by mentioning the recently-revealed DirectX flaw, security
problems in Windows Server 2003, and thefts from a South African bank due to
e-mail sniffing.

He then mentions the general problems with Authentication, and then some
specific problems found with the Diebold Election Systems equipment. He caps
this section of the article with noting that the company concerned refuses
to allow independent code reviews on the grounds of commercial
confidentiality.

In other words, the same old story.

The article closes with the following paragraphs:

  The British Government is still set on giving us all easy ways to vote,
  and the pilots from last year's council elections are being extended.

  There is still talk of online voting in the next general election, and of
  moving away from paper ballots entirely in the future.

  Yet every time we get to look inside a piece of software or a security
  system that has been developed in secret, and built on the top of a
  compromise between acceptable levels of risk and the cost of doing it
  properly, we find holes and errors.

  This is the reason why we must not move to an online voting system. It
  cannot be made secure, it cannot be guaranteed and it cannot be trusted,
  no matter who writes it, and no matter what claims are made.

  A democratically elected government of the United Kingdom has massive
  power. The gains to be made from undermining a general election are just
  too high for us to take the risk of moving the election online.

  Paper ballots and physical presence in the polling station make the system
  too unwieldy to hack. We should keep it that way.


Hospital records stuck in memory stick

<"Brett McCarron" <MCCARBWM@dfw.wa.gov>>
Thu, 07 Aug 2003 08:59:54 -0700

Hospital bosses in Greater Manchester have tightened up IT security
procedures after a Crewe estate agent found a memory stick sold as new
contained confidential details of 13 cancer patients.

A report into the security breach, which happened earlier this year, found
that the data had been transferred onto the memory stick when a computer
storing a database of patient details was sent for an upgrade.  The
hospital's IT supplier Pocos took the computer to MBS Computers in Crewe,
where the data was copied onto the stick. But the investigation was unable
to ascertain how it then came to be sold as new.
  http://silicon.com/news/500013-500001/1/5491.html
  http://zdnet.com.com/2110-1105_2-5060979.html

  [I'll bet that opened package memory sticks sell pretty quickly at
  computer superstores - BWM].

Brett McCarron, IT Security & Policy Officer, WDFW Information Technology
Services, 600 Capitol Way N. - Olympia, WA  98501-1091  (360) 902-2331


Re: Domain names (RISKS-22.81)

<"Jay R. Ashworth" <jra@baylink.com>>
Mon, 4 Aug 2003 12:45:04 -0400

Darryl Luff apparently reads Dave Barry's weblog.  :-)
So do I, but as far as I know, Dave got the other one from me:
  http://www.whorepresents.com
Isn't it nice that DNS is case-insensitive so that you can use
WhoRepresents.com instead?

Jay R. Ashworth, Member of the Technical Staff, Baylink, The Suncoast Freenet
Tampa Bay, Florida  jra@baylink.com http://baylink.pitas.com  +1 727 647 1274


Re: Domain Names (RISKS-22.81-82)

<Sidney Markowitz <sidney@sidney.com>>
Mon, 28 Jul 2003 12:04:34 +1200

RISKS-22.82 correctly points out that powergenitalia.com is not the Web site
of some Italian subsidiary of the British firm Powergen, and the Web site
today (as I type this) is just an "under construction" page.  HOWEVER, there
was a company Web site there when it was mentioned in RISKS-22.81.  You can
*try* to hide, but often not successfully on the Web.  The Internet Wayback
Machine reveals that there is a company named Powergen Italia (or else a
very longstanding Web hoax).  Their location and history can be found at:

http://web.archive.org/web/
  20020210171927/www.powergenitalia.com/inglese/logo1.htm
http://web.archive.org/web/
  20020203231738/www.powergenitalia.com/inglese/aziendae.html

The whois information matches the information there:
  http://opensrs.org/cgi-bin/whois.cgi?action=lookup&domain=powergenitalia.com


Re: Domain Names (RISKS-22.81-82)

<Paul Schreiber <shrub@mac.com>>
Tue, 29 Jul 2003 18:26:35 -0400

I've seen this before: the dotcom "experts exchange" had the domain
expertsexchange.com ... ExpertSexChange.com?  Ooops!

  [Ah, another item for my Hyphen(h)ater's Handbook?  PGN]


Tech exodus: 500,000 U.S. jobs moving overseas

<"NewsScan" <newsscan@newsscan.com>>
Wed, 30 Jul 2003 09:36:42 -0700

One out of 10 jobs in the U.S. computer services and software sector could
move overseas by the end of next year, according to a new report from
Gartner Inc.  And while professionals in the computer industry will be
especially hard-hit, IT jobs in other sectors such as banking, health-care
and insurance will feel the impact also, with one in 20 being exported to
emerging markets such as Russia, India or other countries in Southeast Asia.
"Suddenly we have a profession -- computer programming -- that has to wake
up and consider what value it really has to offer," says Gartner VP and
research director Diane Morello.  Morello estimates that based on her
preliminary calculations, at least 500,000 jobs will be lost to offshore
outsourcing by then end of 2004.  The trend toward "offshore outsourcing" is
heating up as a political issue, with legislators in five states proposing
bills that would require workers hired under state contracts be American
citizens or fill a special niche that citizens cannot.  [Reuters/CNN.com 30
Jul 2003; NewsScan Daily, 30 July 2003]
  http://www.cnn.com/2003/TECH/internet/07/30/jobs.oversees.reut/index.html


PFIR Forums Adds "Voting Systems" Discussion Group

<pfir@pfir.org (PFIR - People For Internet Responsibility)>
Wed, 6 Aug 2003 11:59:26 PDT

PFIR - People For Internet Responsibility - http://www.pfir.org

The PFIR Forums discussion board located at:
   http://forums.pfir.org
has added a new discussion group topic:
  "Voting Systems - Benefits and Risks"
for the discussion of the benefits, risks, problems and solutions related to
voting technologies, including mechanical and electronic (e-voting) systems,
especially optical scan, computer-based, and Internet voting.  This group is
moderated by Peter G. Neumann.

Other discussion groups (all are moderated) on PFIR Forums include:

   Civil Liberties vs. Technology
       Advanced and useful technologies are becoming massive threats
       to privacy and other civil liberties. How can technology be
       appropriately controlled and civil liberties protected?

   E-Mail Issues, Problems, and Solutions
       Discussion of problems, possible solutions, and a wide
       range of other issues relating to e-mail, including PFIR's
       Tripoli e-mail proposal

Informational (read-only) groups include:

   Fact Squad Radio
       Recent listings and e-mail notification for PFIR's Fact
       Squad Radio short mp3 audio features

   PFIR Forums Information and Guidelines
       Basic information, usage guidelines, privacy policy, etc.
       for PFIR Forums

As always, your participation in PFIR Forums is cordially invited.
Thank you very much.

Lauren Weinstein  http://www.pfir.org/lauren
lauren@pfir.org  lauren@vortex.com  lauren@privacyforum.org  +1-818-225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com


REVIEW: "A Guide to Forensic Testimony", Fred Smith/Rebecca Bace

<Rob Slade <rslade@sprint.ca>>
Tue, 29 Jul 2003 10:54:51 -0800

BKGDFOTS.RVW   20030604

"A Guide to Forensic Testimony", Fred Chris Smith/Rebecca Gurley Bace,
2003, 0-201-75279-4, U$49.99/C$77.99
%A   Fred Chris Smith
%A   Rebecca Gurley Bace
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2003
%G   0-201-75279-4
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$77.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0201752794/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0201752794/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0201752794/robsladesin03-20
%P   509 p.
%T   "A Guide to Forensic Testimony"

The subtitle explains the book more fully: "The Art and Practice of
Presenting Testimony as an Expert Technical Witness."  However, those
with expectations about the form of technical literature should note
that the style of this work follows that of the legal profession and
case law: it primarily teaches by using examples rather than pointing
out a specific methodology.

The preface illustrates another difference between the technical and
legal worlds.  Computer work generally involves finding an answer to a
problem: if the code works, background study and documented analysis
is generally irrelevant.  The legal profession, on the other hand,
absolutely depends upon advance preparation, and an answer is almost
useless unless the reasoning, background, and process is not only
chronicled, but properly and legally obtained.  Thus the authors are
aware of the twin needs to inform technical experts about the
requirements of the legal world, and to instruct legal professionals
in aspects of technology that may be relevant to the pursuit of a
case.  The introduction notes the possible tragedies that can result
if either the trial attorney or the technical expert attempts to act
as ventriloquist to the other's dummy.

Chapter one gives examples of expert witnesses, starting with a
fictional example from a movie.  Normally this would not be very
instructive, but the authors are careful to point out, from the
fictional story, important legal points to be aware of in regard to
the possibilities and limits of expert testimony (and also the legal
restrictions that would prevent some of the story points from
happening in a real case).  The rest of the chapter then goes on to
introduce legitimate and recognized experts, and present their
opinions and advice in regard to the practice of expert testimony.
Chapter two is supposed to promote both the idea of becoming an expert
witness, and of preparing for the experience.  In fact, most of the
material deals with Bill Gates' first deposition in the antitrust
litigation, and the mistakes that he made.  The example does make
valid points both about the value of preparation and the need to
testify whether we want to or not, but the message is not always
obvious.  Using testimony to provide a story about what happened is
presented in chapter three.  The example, though, is the tracing of
Kevin Mitnick's intrusion on the systems managed by Tsutomu Shimomura,
and therefore the testimony, which never happened, is simulated, which
weakens the lessons the text intends to convey.  Chapter four outlines
the rules of testimony and the legal process, and is the section that
technical people should probably study most thoroughly.  Although
there are important points to be made in regard to the dangers of
reasoning beyond the facts, chapter five reads more like an editorial
inveighing against pseudoscience.

Ethical issues are discussed in chapter six.  The early material
involves a great deal of text from two case decisions, but eventually
there is a review of codes of conduct, and even examination of some of
the moral aspects of court battles.  Chapter seven deals specifically
with the matter of bias.  The gatekeeper function of American judges,
who must decide not only whether a witness is truly expert, but on
what the expert may testify about or to, is covered in chapter eight.
This material also reviews important points about the qualifications
for experts and the characteristics of good evidence.  Credible and
convincing evidence and presentation is described in chapter nine, and
this is extended to visual exhibits in chapter ten, demeanour in
eleven, and non-verbal communications in twelve.  Chapter thirteen
contains examples of, and advice from, some experts who have extensive
experience in court testimony.

The book sometimes flows rather oddly, and it would be easy to take
issue with a number of the topics or the emphasis given to certain
ones over others.  Even so, this work *is* important, and information
security professionals; and certainly those in management or
consulting roles; should seriously consider it.  The text is written
with the technical worker in mind, although legal professionals would
undoubtedly find the research, advice, and explanations to be helpful
in preparing for technical cases.  Litigation involving technical
topics is increasing all the time, and new (and therefore unfamiliar)
technologies are now as constant a fact of legal life as forensic
concerns are in technical work.

copyright Robert M. Slade, 2003   BKGDFOTS.RVW   20030604
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top