The RISKS Digest
Volume 23 Issue 01

Friday, 7th November 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Credit agencies sending our files abroad
David Lazarus via Paul Saffo
Crypto screwup: Sensitive Israeli missile test inadvertently broadcast
Craig S. Bell
A new risk for electronic voting
Jeremy Epstein
California Halts E-Vote Certification
Kim Zetter via Monty Solomon
Touch screen voting — like Web site maintenance?
William Nico
Irish Labour Party urges suspension of e-voting until flaws addressed
Patrick O'Beirne
E-ZPass, UPS, and Newark Airport
Susan Landau
Microsoft puts a price on the heads of virus writers
Microsoft patches their patched patches
Robert Bruce Thompson via Dave Farber
Remember those jokes about "if AT&T built cars?"
Daniel P.B. Smith
Duh! an electronic signature!
Geoff Kuenning
Paying employees is not rocket science
Paul Robinson
Another victim of the d__n bad-word filter!
Adam Abrams
REVIEW: "High Integrity Software", John Barnes
Rob Slade
Info on RISKS (comp.risks)

Credit agencies sending our files abroad (via Dave Farber's IP)

<Paul Saffo <>>
Fri, 07 Nov 2003 08:47:57 -0800

David Lazarus <>,
*San Francisco Chronicle*, 7 Nov 2003 [PGN-ed]
IP Archives at:

Two of the three major credit-reporting agencies (Equifax, Experian and
TransUnion, each holding detailed files on about 220 million U.S. consumers)
are in the process of outsourcing sensitive operations abroad, and a third
may follow suit shortly.  Privacy advocates say the outsourcing of files
that include Social Security numbers and complete credit histories could
lead to a surge in identity theft because U.S. laws cannot be enforced
overseas.  For their part, the credit agencies say the trend is a necessary
cost-cutting move in light of new legislation that would allow all consumers
to obtain free copies of their credit reports.  (TransUnion states that
would cost them as much as $350 million a year.)

"The application of American law in a foreign country is difficult, if not
impossible," said Sen. Dianne Feinstein. "Therefore, the more companies move
overseas, the less American law can control the uses for which personal data
is put. And this can only represent an increasing threat to the privacy of
our citizens."

Sen. Barbara Boxer said she would ensure that the matter was raised as
senators and House members completed changes to the Fair Credit Reporting
Act.  "This information is very significant, and I intend to make sure that
the conferees who are finalizing the bill are aware of the *Chronicle*'s
investigation in hopes that they will protect Americans from such outrageous
invasions of privacy," Boxer said.

Crypto screwup: Sensitive Israeli missile test inadvertently broadcast

<"Craig S. Bell" <>>
Thu, 06 Nov 2003 22:38:47 GMT

A security lapse by Israel Aircraft Industries apparently permitted an
internal screening of a missile test to be accessible by satellite dish,
    [PGN-ed; also

A new risk for electronic voting

<Jeremy Epstein <>>
Thu, 6 Nov 2003 15:56:08 -0500

The RISKS of electronic voting have been discussed often enough in this
forum that I won't repeat them further (cf. Rebecca Mercuri's piece in

Last week's election in Fairfax County (Virginia) had a new risk I haven't
seen covered before.  They use WinVote machines, made by Advanced Voting
Solutions of Frisco, Tex.  These are essentially Windows laptops with a
touchscreen and an 802.11 wireless net.  (More about that in another RISKS
article one of these days.)

Seems that during the election, at least eight of the machines failed (out
of almost 1000 in use county-wide), and were taken out of the polling places
to a central repair facility, and then brought back after some form of
"repair" was made (a reboot at the polling place did not solve the problem).
The seals were broken, but the voting officials in the precincts were told
to resume using them.  The result was a lawsuit by the Republican party
seeking to invalidate the votes from those machines.  There aren't enough
votes at stake that it would change any of the election results.

Of course, the real problem is that without any sort of physical (paper)
record, it's impossible to prove what really happened when the machines were
being "repaired".

In addition, the "hi tech" vote counting (which was supposed to occur by
uploading the results from every precinct to a central computer over a
dial-up line) overloaded the servers, and "More than half of precinct
officials resorted to the old-fashioned telephone to call in their numbers
or even drove the results to headquarters, elections officials said. A
handful of precincts went back to paper ballots."

The only thing that's surprising here is that the election officials were


California Halts E-Vote Certification (Kim Zetter)

<Monty Solomon <>>
Tue, 4 Nov 2003 19:16:59 -0500

Kim Zetter, Wired.Com, 3 Nov 2003

SACRAMENTO, California — Uncertified software may have been installed on
electronic voting machines used in one California county, according to the
secretary of state's office.  Marc Carrel, assistant secretary of state for
policy and planning, told attendees Thursday at a panel on voting systems
that California was halting the certification process for new voting
machines manufactured by Diebold Election Systems.  The reason, Carrel said,
was that his office had recently received "disconcerting information" that
Diebold may have installed uncertified software on its touch-screen machines
used in one county.  He did not say which county was involved. However,
Secretary of State spokesman Douglas Stone later told Wired News that the
county in question is Alameda.  ...,1283,61068,00.html

Touch screen voting — like Web site maintenance?

<William Nico <>>
Wed, 5 Nov 2003 09:02:54 -0800 (PST)

The 4 Nov 2003 election in Pleasanton, CA had only a School Board choice on
the ballot.  However, the "Instructions", which comprised the opening page
on the touch screen voting machine, were wholly focused in detail on the
gubernatorial recall election of 7 Oct 2003!

Irish Labour Party urges suspension of e-voting until flaws addressed

<"Patrick O'Beirne" <>>
Mon, 03 Nov 2003 19:39:55 +0000
Press Release

   Gilmore urges suspension of e-voting until flaws addressed

Eamon Gilmore TD, Labour Spokesperson on Environment and Local Government
Issued on Monday 03 November, 2003

The Labour Party has called for the suspension of plans to extend electronic
voting until the e-voting system has been changed.

The call was made today (Monday) by the Labour Party Spokesperson on Local
Government and the Environment, Eamon Gilmore TD, at a Press Conference to
launch a study of electronic voting system which was commissioned by the
Labour Party. The report was prepared by two Labour Party members, Shane
Hogan and Robert Cochran who are both experienced IT specialists.

Deputy Gilmore said:

"The report identifies a number of major flaws and deficiencies in the
electronic voting system which the Government plans to extend to all areas
of the country for the Local and European Elections next year.

The major defects are:-

* No integrated end-to-end test of the entire system has been conducted to
  date. The testing of the Integrated Election Software (IES) software was
  carried out by the UK based Electoral Reform Society in 2002. However for
  this test the random mix feature of the IES was disabled. An integrated
  end-to-end test would generally be considered a key part of the
  implementation of any new technology.

* Formal Methods were not used to prove the accuracy of the software.
  Formal Methods refer to a set of mathematically based techniques that are
  used in the development of safety-critical software such as airplane
  navigation or life support machines. The Department of the Environment has
  not made the actual source code publicly available but it is clear from
  the technology used and source code review that formal methods were not
  used and that therefore there are bugs in the software.

* It is possible that the data-base on the Count Centre PC which is
  Microsoft access, could be overridden by a replacement pre-prepared data
  base, which could be designed to give a specific result by a single "copy"
  command. In addition vote information is transferred between PCs at the
  Count Centre on floppy discs. It would not be difficult to exchange discs.

* Unauthorised persons could produce a version of the NEDAP voting machine
  software and/or the IES which could be designed to give an election result
  biased in favour of a particular Party or Candidate.

"These threats are possible because the proposed electronic voting system
lacks the transparency of the current paper ballot system. The voter has no
way of being certain that the vote which he/she casts is accurately recorded
by the voting machine and software and is thereafter not overridden by a
corruption of the Count Centre software. The voter is expected to have blind
trust in the technology.

"The Labour Party is proposing a number of reforms which will be necessary
if the proposed electronic voting system is to be reliable, free from
interference and if it is to enjoy the confidence of the public.

"The reforms proposed by the Labour Party are as follows:-

1. The introduction of a Voter Verifiable Audit Trail (VVAT) which would
create a parallel paper record of votes cast which could be stored and
checked in the event of a dispute over an election outcome.

2. The use of Formal Methods to ensure that the software used in both the
election machines and in the vote counting is totally reliable.

3. The adoption of formal procedures to prevent interference either with the
machines software or counting process.

4. The carrying out of an integrated end-to-end test of the entire system.

5. The establishment of an independent audit and supervisory role over
electronic voting for the Standards In Public Office Commission.

"The complete changeover to electronic voting next June will be the biggest
single change in the country's electoral practice since Independence.

"It is essential that electronic voting has the confidence of the public and
of the participants in elections. The system which the Government intends to
use next June is seriously flawed. No democracy should proceed with a new
electoral system which opposition Parties fear may lead to election rigging.

"It is essential for continuing confidence in the electoral system that the
proposed electronic voting be changed. The Government should suspend plans
for the extension of electronic voting until the reforms proposed by the
Labour Party have been implemented."

E-ZPass, UPS, and Newark Airport

<Susan Landau <>>
Mon, 3 Nov 2003 10:16:03 -0400

  [This appeared in the Metropolitan Diary section of *The New York Times*,
  3 Nov 2003.  It is yet another example of what can happen when perfectly
  plausible actions are combined in unexpected ways.  Fortunately this one
  is humurous.  Susan Landau]

Dear Diary:

After moving to Nashville from New York recently, it occurred to me that I
no longer had a pressing use for my E-ZPass. Following the E-ZPass
instructions, I filled out a few forms and dropped my pass off at United
Parcel Service, destination Staten Island service center.

Two weeks passed, and I received my normal E-ZPass e-mail statement. I
entered my account and, lo and behold, my recently surrendered pass had been
used by someone to go from Newark Airport to Exit 18 on the New Jersey

I was incensed.

I immediately called E-ZPass and informed them that someone had stolen my
pass. I explained that I had mailed the pass and that now someone was
running up and down the turnpike using it.

Very calmly, the E-ZPass representative said, "Sir, your E-ZPass was not
stolen, it is in the UPS truck, and every time that truck goes through an
E-Z Pass toll booth, it is going to register another toll."

Microsoft puts a price on the heads of virus writers

<"NewsScan" <>>
Thu, 06 Nov 2003 08:58:12 -0700

Microsoft is using an old-fashioned tactic to fight new-fangled viruses --
it's created a $5-million Anti-Virus Reward Program and is offering $250,000
bounties for information leading to the arrest and conviction of the people
behind last summer's Blaster worm and Sobig virus.  Together, those attacks
are blamed for $2 billion in losses by businesses and consumers, according
to consulting firm Computer Economics Inc.  Security experts are split on
whether the new initiative will prove successful, but Microsoft senior
security strategist Philip Reitinger says, "What we hope to accomplish is to
give people an incentive to do the right thing." [*Los Angeles Times*, 6 Nov
2003; NewsScan Daily, 6 Nov 2003],1,4082881.story

  [The sad part is that for $5M, MS cannot fix its deeper computer security
  problems, so that expenditure will not solve their problems.  On the other
  hand, if MS spent $2B rearchitecting and reimplementing their software,
  think what might be done!  (On the other hand, I recall the period in the
  1970s when IBM reportedly spent $40M on improving its mainframe computer
  security.  The old joke at the time was that they spent $39M on public
  relations and $1M on travel.)  PGN]

Microsoft patches their patched patches (IP)

<Robert Bruce Thompson>
Mon, 03 Nov 2003 11:34:47 -0500

  (via Dave Farber's IP, with an addition forward from Mark Luntzel)

For years, the conventional wisdom has been that one can't trust Microsoft
software until version 3.0, and that apparently is true for their security
patches as well.

The middle of last month, with much fanfare, Microsoft went to their new
scheme of releasing patches in batches once a month. A week or so later,
they released batches of patches to those batches of patches. Now, they're
releasing batches of patches to the batches of patches to the batches of

For details, see:


These batches and batches of patched patched patches are critical, so
don't ignore them. And, the way things are going, look for batches and
batches of patched patched patched patches sometime next week.

Robert Bruce Thompson <>

Remember those jokes about "if AT&T built cars?"

<"Daniel P.B. Smith" <>>
Sat, 01 Nov 2003 14:38:40 -0500

... those humorous pieces that point out the ludicrous unusability of
computer user interfaces by speculating on what a car with a similar user
interface might be like?  Well, don't laugh too hard...  *The Boston Globe*
auto writer Royal Ford just published an article headed: "For drivers,
electronic overload."

*The Boston Globe*, 1 Nov 2003

  "To start the heater or air conditioning in the [a 2-year old Acura] MDX,
  you start with the dashboard navigation screen, then make your way through
  a series of baffling electronic menus, through climate control and
  beyond.... 'It's a distraction while you're driving,' [owner Stuart
  Schneiderman] said....  The system in the [BMW] 7 Series... remains a
  landmark in complexity, using a dial between the front seats to reach
  eight "points" of control. Each point then controls a multilayered system
  of options that many drivers have found to be like peeling an electronic
  onion....  the system proved so complicated that Web sites have offered
  "cheats," hidden shortcuts like those used by video gamers.... the Lexus
  LS430 [has] one of the most manageable electronic... but the manual for
  the system runs to 178 pages."

To anyone who's ever had the window of a rental car frost up in traffic,
while leaving an airport, with no place to pull over and no companion handy
to dig out the owner's manual and locate the right button... the RISKS
should be obvious.

Daniel P. B. Smith, alternate:

Duh! an electronic signature!

<Geoff Kuenning <>>
Mon, 3 Nov 2003 23:39:07 -0800 (PST)

I just finished submitting a reference letter to the Hertz Foundation for a
student.  This process is done through a Web form.  The foundation requires
an electronic signature on the recommendation.  The signature is collected
by presenting the recommender with a Web page reading something like this:

    I certify that I am the person named below:

    (type name in box)

Even my wife, who is a musician by profession, reacted with "Oh, yeah,
*that's* real secure!"

I suggest that instead, the foundation should simplify my life by
simply providing a check box labeled "This recommendation is forged."

Geoff Kuenning

Paying employees is not rocket science

<Paul Robinson <>>
Tue, 28 Oct 2003 23:31:25 GMT

WBIG radio reported Friday that there was a protest by employees of the
Prince George's County [Maryland] School District over payroll problems.
The School District has installed a new computer system and apparently is
unable to generate payroll checks for quite a number of employees including
school bus drivers.  This is also causing problems with their health
insurance as well.  Some of the employees report that they have not been
paid since the start of the school year.  A School District spokesperson
reportedly said they are working with Oracle to find where the problem is.

My own comment is that something is really strange here.  I used to do
payrolls myself, by hand.  Generally you do them by computer because it's
cheaper than using lots of clerks and because it scales better.  But as this
article's title noted, payrolls are not some arcane subject, the method to
do them is pretty much cut and dried and has been probably since the 1970s
or 1980s with the standard accounting rules in effect.  The only issue is
for the number of employees that the computer system will scale properly.

Let's presume PG county has perhaps 30,000 employees at the school district.
If it takes an average of 10 seconds - obviously more than it actually takes
- to do all required calculations for each check, such as what deductions,
what payments, and how salary is computed, then they need 300,000 seconds to
calculate payroll, or roughly about 84 hours.  Split this onto 10 PCs and it
takes 1 day. Probably 4 hours on a mainframe.

Basically the most labor intensive part of this is keeping the laser
printers full of check stock.  There's something wrong with the picture

Another victim of the d__n bad-word filter!

<Adam Abrams <>>
Mon, 03 Nov 2003 11:04:59 -0800

I tried to register as a user at in order to
save a search. Filled out everything, clicked "submit", and got this odd
message: "This e-mail address has been flagged as inadmissible and you are
unable to place an ad."

This could mean any number of things ranging from benign (I'd already
registered and forgotten about it) to downright unsettling (I'm on some
secret government hit list). OK, maybe the second one is unlikely, but it
was still disturbing...

An e-mail cleared it all up: I'm the latest victim of the "bad word filter".
As they put it: "The reason that you are unable to create an account is due
to your e-mail address containing a vulgar word that has been flagged by our
bad word table."

I had to call their toll free line to have an actual human sign me up. While
on hold, I studied my e-mail address with fresh and suspicious eyes. It's my
full name + provider, "adamabrams@shaw(dot)ca". Even before the days of
e-mail, I'd never noticed anything even slightly vulgar about my name. Could
it be "bra"? They might have me flagged as a ladies-undergarment fetishist.
"rams"? Maybe the L.A. football team has had an obscenely bad season. No, it
was "dam". That's right, even _misspelled_ bad words set off the alarm. So
I'm also being punished for other people's illiteracy.

I guess the RISK is mainly that they'll lose customers due to an overzealous
data filter that flags letter combinations that appear in many everyday

(Turns out the rep entered part of my address incorrectly, but when I logged
in to correct my profile, my e-mail triggered the same bad-language flag
again! OK... I give up.)

REVIEW: "High Integrity Software", John Barnes

<Rob Slade <>>
Mon, 3 Nov 2003 07:08:12 -0800

BKHISTSA.RVW   20030913

"High Integrity Software", John Barnes, 2003, 0-321-13616-0
%A   John Barnes
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2003
%G   0-321-13616-0
%I   Addison-Wesley Publishing Co.
%O   416-447-5101 fax: 416-443-0948 800-822-6339
%P   430 p. + CD-ROM
%T   "High Integrity Software: The SPARK Approach to Safety and

Once upon a time, a group set out to build a language which would allow you
to write programs that could be formally verified.  Formal analysis and
proof can be used to determine that a program will work the way you want it
to, and not do something very weird (usually at an inopportune time).  First
came the attempt to build the Southampton Program Analysis Development
Environment (or SPADE) using a subset of the Pascal programming language.
When it was determined that Pascal wasn't really suitable, research was
directed to Ada, and the SPADE Ada Kernel, or (with a little poetic licence)
SPARK, was the result.

SPARK can be considered both a subset and extension to Ada, but is best seen
as a separate language in its own right.  SPARK forbids language structures
such as the infamous GOTO statement of Fortran and BASIC (which cannot be
formally verified).  Support for some object- oriented features has been
included in SPARK, but not for aspects like polymorphism which would make
formal proof problematic.  A great deal of the security of SPARK lies in the
idea of contracts and the use of data specifications (usually referred to as
interfaces) that prevent problems such as the unfortunately
all-too-ubiquitous buffer overflow.

Part one is an overview of the background and features of SPARK.  Chapter
one reviews some of the problems of unproven software, and the major
components of SPARK.  Support for the formal proof functions, such as
abstraction (the elimination of details not essential to the fundamental
operation of the concept or function) are discussed in chapter two.  The
various analysis tools are listed in chapter three.

Part two outlines the SPARK language itself.  Chapter four describes the
structure of SPARK and the lexical items it contains.  Language elements are
covered in chapters five, six, and seven, successively dealing with the type
model and operators, control and data flow, and packages and visibility
(local, global, etc.) which also reviews the object-oriented aspects of
SPARK.  Interfacing of the various parts of SPARK, and also of SPARK and
other languages, is in chapter eight.

Part three looks at the various analytical utilities in SPARK and the proof
process.  Chapter nine concentrates on the main Examiner tool.  A
mathematical discussion of data flow analysis, in chapter ten, is not
necessary to the operation of SPARK, but provides background and
explanation.  Verification, and the instruments that support it, are
reviewed in chapter eleven.  Chapter twelve examines the rather vague
practice of design, and proposes the INFORMED (INformation Flow Oriented
MEthod of Design) process, although it seems to be limited to some
admittedly useful principles.  A list of similar precepts makes up the
eponymous programming "Techniques" of chapter thirteen.  Chapter fourteen
retails a number of case studies of the possible use of SPARK for various
applications: the simpler ones also contain source code.

Both the writing in the book, and the explanations of SPARK, are clear.
Formal methods of architecture and programming are not well understood, and
this text does provide some justification for the exercise, although more
evidence and support would be welcome.  I recommend this work not only to
those interested in more secure applications development, but also to those
needing more information about formal methods in composition and system

copyright Robert M. Slade, 2003   BKHISTSA.RVW   20030913

Please report problems with the web pages to the maintainer