The Risks Digest, Volume 23, Issue29

Peter G. Neumann

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23: Issue 29

Thursday 1 April 2004

Coincidental Risks -- related to electronic voting systems: Jim Horning
Toyota music-playing robot and possible spinoffs: PGN
April Foolproof: AT&T Alerts Consumers About the Latest Scams: Monty Solomon
Network Solutions' "A Sucker Born Every Minute" Domain Service: Lauren Weinstein
Fraudulent request for bank info: Ken Knowlton
Bridge construction mismatch: Ken Knowlton
Shuttle speed-brake gears installed backwards: Anthony Youngman
Pontiac leap-year bug: Tom Van Vleck
Online student election flaws: James Prescott
Utility employees rig customer survey: Monty Solomon
AOL unveils spam-victim sweepstakes: NewsScan
Wrong number leads to woman's arrest: Monty Solomon
Risks of confusing LAN and WAN rules: Leonard Erickson
Web site devoted to Word documents with unintended strikeouts: Henry Baker
Risks of discarded receipts: Tim Aidley
Exploiting Software: How to Break Code, Hoglund/McGraw: PGN
Info on RISKS (comp.risks)

Coincidental Risks -- related to electronic voting systems

Thu, 1 Apr 2004 00:58:19 GMT


  [The following item appears in the *Communications of the ACM*, 47, 4,
  April 2004, and is reproduced here with the permission of the author,
  subject to CACM copyright guidelines.  PGN]

The story of the Aceville elections has received some attention in the
national press, but it is worth considering from a Risks perspective.  This
column is based on reports by AP (Affiliated Press, Unusual Election Results
in Ohio Town, 2/30/04) and Rueters (Losers Question Ohio Election, 2/30/04).
The Aceville, OH, municipal elections last February -- the city's first time
using the SWERVE electronic voting system -- led to the election of the
alphabetically first candidate in all 19 races.  This is an astonishing
coincidence.  Furthermore, every winning candidate, and Measure A, garnered
100% of the votes counted.

``I am extremely gratified by this mandate,'' said mayor-elect Neuman
E. Alfred, who received 7,215 votes in a town with 7,213 registered voters.
``This is the greatest electoral landslide since the re-election of Iraqi
President Saddam Hussein.''

Byron Augusta, CEO of Advanced Automatic Voting Machines (AAVM), which
supplied the SWERVE system, denied that there was anything suspicious about
the coincidence that Alfred was also the AAVM technician in charge of the
new voting machines.  ``We are confident of the integrity of our employees,
which is reflected in their unblemished record of electoral success.
Reports that Alfred installed undocumented `software patches' the day before
the election are completely unfounded.  We could prove this to you, except
that the machines now contain the software upgrade that Alfred installed the
day after the election.  Anyhow, our software was once certified
tamper-proof by the Federal Election Commission.  Any suggestion of
hanky-panky is scurrilous and un-American.  We were unquestionably the
low-cost bidder.''

Ohio Supervisor of Elections Ava Anheuser expressed no surprise that the
alphabetically first candidate won every race.  ``Don't you believe in
coincidence?'' she asked.  ``This is an example of Adam Murphy's Law: `If
it's logically possible, sooner or later it's bound to happen.'  AAVM
downloaded the totals from the voting machines three times.  There's nothing
else to recount.''

Rueters reported that several voters claimed to have voted for losing
candidates, including mayoral candidate Zeke Zebronski, who said, ``I know
this election was crooked.  I voted for myself three times, and still got no
votes.''  However, the *Aceville Advertiser* conducted an investigation and
concluded that the complaints were the work of ``a small group of
out-of-town academic Luddites with a paper fetish,'' and ``an even smaller
group of agitators for `alphabetic equality'.'' ``They should remember that
`America' starts and ends with A,'' chided *Advertiser* Editor-in-Chief Ada
Augusta.

Pundits are divided on whether this election was a statistical fluke, or is
the harbinger of a statewide, or even national, trend.  But many politicians
are taking no chances.  The Democratic Party is scrambling to find an A
presidential candidate.  ``We just don't see how Clark or Dean can beat Bush
in this environment,'' said party spokeswoman April Brown.  The
newly-renamed All American Party's entire Ohio slate has filed to legally
change their names, to Aaron Aaren, Abigail Aaren, etc.  ``It's like one big
family,'' said party secretary Absalom Aaren, ``and we expect to do very
well in the next election.''

The American Association of the Mentally Challenged has pressed for national
adoption of the SWERVE system.  Spokeswoman Ada Augusta stressed that ``This
is the only available system that guarantees that your vote will be counted,
whether you can cast it or not.  And it will bring jobs to Aceville.''

Measure A provided tax-exempt bond funding for the Aceville Automation Park,
which will house new headquarters for both AAVM and the *Advertiser*.

On a lighter note, the American Automobile Association was elected Dog
Catcher, even though it wasn't on the ballot.  ``This seems to be the first
time a write-in candidate has been elected without any write-ins,'' said an
AAA insider, who spoke on condition of anonymity.

Regular readers of ``Inside Risks'' know that there is an important
distinction between coincidence and causality.  The fact that A preceded B
does not mean that A caused B.  The order of the candidates probably didn't
influence enough voters to change Aceville's landslide results.  However,
``out of an abundance of caution,'' election officials should have followed
the advice of People for Randomized Alphabetic Ballots (PRAY4Ps).  Putting
names on the ballot in random order preserves faith in the fairness of the
election.  Of course, it is still possible for a random permutation to leave
names in alphabetical order.  Wouldn't *that* be a coincidence?  I'd be
happy to Risk It.

  [Jim Horning <horning@acm.org> is a member of the American Association for
  April Foolishness, and a co-founder of PRAY4Ps.]

Toyota music-playing robot and possible spinoffs

<"Peter G. Neumann" <neumann@csl.sri.com>>

Thu, 1 Apr 2004


Relating to the Toyota music-playing robot item some of you may have seen
(replicated below), the extension of the concept from trumpets to other
brass-family instruments is relatively straightforward: trumpets, French
horns, valve trombones, and tubas all have the same basic mathematically
based fingering system (relative to the fundamental of the instrument).

In order to provide a well-disciplined robotic brass band, Toyota will need
to implement a real-time distributed operating system by which each robot
can interoperate.  This system would allow tight synchronization among the
players to be controlled by a robot conductor, where all the robots are
integrated into a wireless local network.  Arbitrary music can be downloaded
on a per-instrument-type basis with fingering plans akin to those of a
remotely controlled player piano, so that the group could easily expand its
repertory.

This approach would even facilitate performance of musical works such as
Gabrielli's antiphonal compositions for multiple brass quartets and quintets
dispersed around a concert hall or outdoor space.  One of the standard
problems in the past has been the acoustic delays, which tend to create long
gaps between antiphonal responses, somewhat similar to remote news
commentators linked by satellite communications.

The risks are numerous, although not onerous [one-rous? two-rous?].
Perhaps other robots could also provide a chorus:

 * Blue screens, smiling at me,
   Nothing but blue screens do I see.
     (Accidental or intentional denial of service attacks,)

 * Wrong song, screeching at you,
   Nothing but wrong song; you can sue.
     (Given the general insecurity of wireless networking
     and operating systems, and the dynamic downloadability of
     music files, it is likely -- for example -- that ribald,
     raucous, or otherwise inappropriate tunes might be maliciously
     substituted for liturgical music.  This would be likely to stir
     up Congressional legislation to protect robot vendors from
     liability under such circumstances.)

 * I've got plenty of nothin',
   And nothin's got plenty of me.
     (Accidental deadly embraces caused by certain Trojan-horsey note
     sequences, security flaws caused by basso overflow, etc.)

This message is a trum-pet-er swan song
  (inspired by a famous star of the previous century, Glorious Swansong).

  Date: Fri, 12 Mar 2004 09:38:39 -0700
  From: "NewsScan" <newsscan@newsscan.com>
  Subject: Toyota robot toots its own horn

  Toyota has taken the wraps off its latest venture in humanoid robotics --
  a 4-foot (120cm) tall machine that plays "When You Wish Upon a Star" on a
  trumpet.  The automobile company says it hopes to form a robot band to
  play at the 2005 World Exposition in Japan next year.  The musibot is the
  latest entry in an increasingly competitive rivalry with Honda, whose
  Asimo robot walks around, and Sony, whose Qrio sings, dances, and jogs.
  [BBC News 11 Mar 2004; NewsScan Daily, 12 Mar 2004]
    http://news.bbc.co.uk/1/hi/technology/3501336.stm

    [I suppose that a robot text editor might perform a fontal robotomy
    on this issue of RISKS.  PGN]

      [Important note: The NewsScan item above is not April Foolishness.
      The same is true of the following items in this issue.  PGN]

April Foolproof: AT&T Alerts Consumers About the Latest Scams

Wed, 31 Mar 2004 17:47:16 -0500


PRNewswire: This April Fool's Day, AT&T wants to warn consumers about some
of the latest scams being perpetrated on the unsuspecting public.

  "Awareness certainly helps consumers from being bilked," said Robert Cruz,
  consumer affairs director for AT&T.  "We try to be vigilant about
  detecting new fraud and alerting consumers so they won't fall prey to ever
  more resourceful lawbreakers."

Beware of the following schemes:

  Star-7-2, billing back to you: You receive a call from a stranger posing
  as a telephone technician or telling you that he has been arrested for
  driving with a suspended license and is in jail -- or is in a situation
  that requires your immediate help.  "I need to reach my wife and tell her
  what happened so she can pick up our two kids.  Would you dial *72 and
  then her number?"

  Star-7-2 is a custom feature for call forwarding.  When the customer dials
  *72 followed by a telephone number, it activates the call forwarding
  feature causing all your incoming calls to ring at another number.  At the
  end of the other line -- whether calls have been forwarded to a landline,
  a cell phone or a payphone -- the original caller's partner-in-crime is
  able to accept all collect and third-party calls, while telling your own
  legitimate callers that they have the wrong number.  You get billed for
  all calls made because your number is the one from which they are
  forwarded.  This ingenious scam, which even overrides cell phones
  inability to get collect calls, may go on for several days before you
  become aware it has occurred.

  *72, Not for you: Do not accept collect calls from individuals you don't
  know, regardless of who they claim to be.  Also, never activate *72, the
  call forwarding feature, unless you yourself wish to have calls forwarded
  elsewhere.

  Within the sound of my voicemail: Hackers can compromise your voicemail
  system in order to make fraudulent collect, third party or direct-dial
  calls.  Hackers make use of an out-calling feature on many systems that
  allows them to make the calls at your expense.  It isn't until you receive
  notification from your telephone company's security group, notices
  something different about your voicemail greeting, or receive a large bill
  that you realize you have become a victim.

  To prevent this:

  * Always change the default password provided by your voicemail vendor.
  * Choose a complex voicemail password, of at least six digits, so it's
    difficult for a hacker to guess.
  * Don't use obvious passwords such as an address, birth date or phone
    number.
  * Change your voicemail password often.
  * Check your announcement regularly to ensure the greeting is indeed
    yours.  (Owners of small businesses should consider disabling the
    auto-attendant, call-forwarding and out-paging capabilities of
    voicemail (if these features are not used), because those features also
    can be hacked.
  [...]

For these and other tips on avoiding telecommunications and Internet fraud,
visit www.att.com/consumertips . Don't be an April Fool today or any day.

     - http://finance.lycos.com/home/news/story.asp?story=40974362

Network Solutions' "A Sucker Born Every Minute" Domain Service

Wed, 24 Mar 2004 10:25:40 -0800 (PST)


When I first heard about this my initial reaction was that it must be a
joke.  Sadly, it is not.  It appears we not only have to worry about
spammers, scammers, and other illicit fraudsters on the Net, but now the
vested, 800-pound gorilla of domain name registrations, Network Solutions
(recently spun-off from our friends at VeriSign) has a new plan to try
fleece the masses -- a "100 Year" domain registration service!  I kid you
not -- they're sending out the e-mails promoting this gem as I type these
words.

Yes, boys and girls, just send Network Solutions your non-refundable renewal
fee in the amount of $999, and they'll renew your domain every year for an
Entire Century.  Never mind that domain names and the Internet are unlikely
to even exist as we know them now *long* before a hundred years have
elapsed.  Forget about the fact that Network Solutions itself (as well as
everyone reading this message) is likely to have vanished from the scene
well before 2104.  For that matter, we'll be damn lucky if *civilization*
still exists by that time.

It appears that we now have a new textbook definition of greed, along with
treating the entire Internet community like a pack of imbeciles.  But then,
anyone who falls for Network Solutions' "No worries for 100 years" service
will themselves have given new meaning to the concept of a sucker.

  http://www.networksolutions.com/en_US/name-it/popup-100-yr-term.jhtml

Lauren Weinstein  lauren@pfir.org +1 http://www.pfir.org/lauren (818) 225-2800
People For Internet Responsibility http://www.pfir.org http://www.factsquad.org

Fraudulent request for bank info

Mon, 29 Mar 2004 12:08:16 EST


On 25 Mar 2004, I received, not a surprise, but just another example of
fraudulent requests for personal information.  My local branch officer,
after some reflection and search, said that yes, a week earlier, they were
notified of the scam and that action was being taken to shut down the site
(no mention of trying to apprehend the culprits). The complete e-mail to me
appears below.  What does surprise me is that it is so obviously a spoof.

   - - - - - - - -

Dear Member,

This e-mail was sent by the [bankname] server to verify your e-mail
address. You must complete this process by clicking on the link below and
entering your [bankname] ATM/Debit Card number and PIN that you use on ATM.
This is done for your protection because some of our members no longer have
access to their e-mail addresses and we must verify it. This is to prevent
any type of online fraud.  [bankname] is made to protect your identity
online.

To verify your e-mail address and protect your [bankname] account, click on
the link below. If nothing happens when you click on the link (or if you use
AOL), copy and paste the link into the address bar of your web browser.

    [URL removed.  no longer valid.  PGN]

Thank you for using [bankname].

Bridge construction mismatch

<KCKnowlton@aol.com>

Tue, 30 Mar 2004 13:54:52 EST


German and Swiss engineers, finally connecting their respective parts of the
new Upper Rhine Bridge in Laufenberg, Germany, discovered that one half had
been built 54 cm lower than the other, requiring massive reconstruction.
[*Der Spiegel, 14 Jan 2004, *Salt Lake Tribune* 2 Feb 2004].

(There must be a lesson in this debacle somewhere.)

  [Someone must have had No-Pfaltz insurance.  PGN]

Shuttle speed-brake gears installed backwards

<"Anthony Youngman" <Anthony.Youngman@eca-international.com>>

Wed, 24 Mar 2004 09:36:37 -0000


A space shuttle has risked disaster every time it flew in the last 20 years
because its speed brakes were faulty, NASA said yesterday.  Gears were
installed backwards on the flaps in Discovery's tail. They could have failed
under the stress of an emergency landing, causing a crash.  Discovery has
flown 30 times since 1984 without a problem. The reversed gears were found
in an actuator which works the flaps -- they stick out to create drag and
slow the craft in flight.  NASA, which is blaming subcontractor Hamilton
Sunstrand, said it would replace parts on all three shuttles before
restarting missions after last year's Columbia disaster.  [Source: London
*Metro*, 24 Mar 2004.  See also
    http://aolsvc.news.aol.com/news/article.adp?id=20040322213609990004
  (noted by Ken Knowlton).  PGN]

Pontiac leap-year bug

Tue, 23 Mar 2004 07:01:05 -0500


``Due to a software glitch, the computer display in the 2004 model year Grand
Prix shows the wrong day of the week, Pontiac spokesman Jim Hopson said on
Monday. Engineers overlooked the fact that 2004 is a leap year, with an
extra day,''

  http://story.news.yahoo.com/news
  ?tmpl=story&cid=583&ncid=583&e=4&u=/nm/20040322/od_nm/autos_gm_leapyear_dc

Jerry Saltzer's story on Multics calendar calculations is at
  http://www.multicians.org/jhs-clock.html

What worries me is, what ELSE did the GM guys overlook?

Online student election flaws

Tue, 23 Mar 2004 17:25:50 -0700


According to the Calgary *Herald*, 23 Mar 2004, the Student Union Review
Board on 22 Mar 2004 ordered a complete new election.  There is apparently a
higher level of appeal within the Students' Union, so the story may not be
entirely over.  The *Herald* story did not add any details not already known
about the flaws in the online voting software.

Excerpts from Chris Beachamp, Online voting glitches?, "The Gauntlet", the
student newspaper of the University of Calgary, in Calgary, Alberta, Canada,
18 Mar 2004, regarding potential flaws in the online voting system used in
this year's Students' Union General Election (PGN-ed):

  Sorex Software Inc. ``discovered an issue that allows for the possibility
  for the system to mix up one voter for another.''  The system slowed down
  due to the larger than normal ballot size and "significantly larger HTML
  data'' in the ballot code, which was too large for the word processor
  software!  ``The slow down may have caused some voters to leave their
  voting stations before their ballot was complete.  This could have allowed
  another voter to [log in] and complete the first voter's ballot.''

Because of the anonymity, it was impossible to trace how often this problem
might have occurred.  Sorex allegedly violated a number of SU election
bylaws.  Citing irregularities in the online voting system, including voters
logging in to find their ballots already selected or even closed, the
petition claims system crashes ``affected the overall integrity of the
election process and compromised the election result.''

Utility employees rig customer survey

Thu, 18 Mar 2004 13:42:08 -0500


A Southern California Edison customer-satisfaction survey was spoofed by at
least 12 employees who had altered system data in order to have their
friends and relatives receive survey calls and provide glowing reports.
The company apparently thereby falsely received millions of dollars based
on the survey!  [Source: Reuters, 17 Mar 2004; PGN-ed]
  http://www.boston.com/news/odd/articles/2004/03/17/
  utility_employees_rig_customer_survey/

AOL unveils spam-victim sweepstakes

<"NewsScan" <newsscan@newsscan.com>>

Tue, 30 Mar 2004 09:20:48 -0700


America Online is launching a sweepstakes program that will award victims of
spam various assets seized from spammers. The top prize is a 2002 Porsche
Boxster S, purchased with the proceeds from a lawsuit settled with a spammer
-- one of five antispam lawsuits that AOL filed in federal court last
year. AOL executive VP and general counsel Randall Boe says the company sees
the sweepstakes program as a "great way to teach spammers a lesson, and
reward our members for their continued use of the 'Report Spam' button." The
sweepstakes started at 5:00 a.m. this morning and will run till 11:59
p.m. eastern time on April 8th. Details can be found at AOL.com.  [*Internet
News*, 30 Mar 2004; NewsScan Daily, 30 Mar 2004]
 http://www.internetnews.com/xSP/article.php/3332991

Wrong number leads to woman's arrest

Thu, 18 Mar 2004 13:44:33 -0500


Using her cell phone, an Oklahoma woman mistakenly called her parole
officer.  She was arrested after she tried to set up a drug deal.  [Source:
Reuters, 18 Mar 2004, PGN-ed]

  http://www.boston.com/news/odd/articles/2004/03/18/
  wrong_number_leads_to_womans_arrest/

Risks of confusing LAN and WAN rules

<shadow@krypton.rain.com (Leonard Erickson)>

Wed, 31 Mar 2004 02:18:49 -0800


I'd noticed some time ago that I couldn't access files on one of the servers
used in yahoo groups (f4.grp.yahoofs.com) I figured it was down or some
such. I ran into this again a couple months ago and found that I still
couldn't get thru to that server.

Since my ISP had done a few odd things in the recent past, I tried via
dial-up on another ISP and got thru.

After much swapping of cables and computers, I discovered that the
culprit was my router! A Multitech 550VPN.

Several exchanges of e-mail with tech support finally brought forth the info
that the server was being blocked because its IP address (66.218.66.255)
ended in .255. Tech support informed me that meant it was a broadcast
address.

I had to inform them that, no, it did *not*. Only *some* addresses ending in
.255 are broadcast addresses and blocking the rest is badly broken behavior.

They said they were turning the info over to the engineers. So far, not
trace of a patch. And I discovered the same bug exists in the RF 500 as
well.

The risk is someone who *thought* they knew something deciding to use it to
implement a "security" measure that amounts to a designed in denial of
service for some parts of the Internet.

Leonard Erickson (aka shadow) shadow at krypton dot rain dot com

Web site devoted to Word documents with unintended strikeouts

Tue, 30 Mar 2004 05:51:42 -0800


Even Microsoft itself can't keep its own people from
publishing documents with deleted information in them.

The Web site below hoists Microsoft on its own petard:
  http://lcamtuf.coredump.cx/strikeout/

Risks of discarded receipts

Mon, 29 Mar 2004 23:32:01 +0100


Nowadays, most credit card receipts blank out portions of the credit card
number so that discarded receipts cannot give it away to anyone who picks it
up. However, the section of the credit card number that gets blanked out
seems to vary between every shop. My wife was recently cleaning out her
wallet of credit card purchase receipts and noticed that if someone was to
get hold of several of her receipts, they would have enough information to
piece the whole of her number together. Our local council provides green
bins for everybody for them to put their waste paper, glass and tin in,
which is collected every week. If a snooper was to collect someone's paper
waste and get 3 or four receipts they would have enough information (as
obviously they know the address) to make fraudulent charges to a card.

I suppose the RISK here is assuming that a security measure that works in a
single situation will work well when multiple situations are combined.

  [We've probably discussed this problem before, but because the risks
  keep recurring, it is probably worth repeating.  PGN]

Exploiting Software: How to Break Code, Hoglund/McGraw