The RISKS Digest
Volume 23 Issue 32

Thursday, 15th April 2004

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Republicans walk out of Federal hearing on voting machines, Lynn Landes
USB "square" plugs
Henry Baker
Re: Who's in charge of the e-mail virus war ...
Steve Summit
Radar guns, again
Adam Shostack
Wireless hacking
NewsScan
Citibank data compromised without using it?
Art Mellor
Re: Chinooks again
Peter B. Ladkin
REVIEW: "Ethics and Technology", Herman T. Tavani
Rob Slade
Info on RISKS (comp.risks)

Republicans walk out of Federal hearing on voting machines, Landes

<VoteFraud2@aol.com>
Thu, 15 Apr 2004 12:02:17 EDT

Republicans Walk Out Of Federal Hearing On Voting Machines,
While Some Civil Rights Groups Support "Paperless" Elections
by Lynn Landes  www.dissidentvoice.org  April 13, 2004
http://www.dissidentvoice.org/April2004/Landes0413.htm

As the battle over voting machines rages across the country, the U.S.
Commission on Civil Rights met on 9 Apr 2004, to examine the "Integrity,
Security and Accessibility in the Nation's Readiness to Vote."  Two
scientists and four representatives of civil rights organizations were
invited to brief the Commission.

But, before the panelists had a chance to share their views, three
Republican commissioners and one (notably conservative) Independent
commissioner walked out, ostensibly over a personnel dispute. But, others
are not so sure.

It appears that voting technology is a topic that the Republican leadership
wants to tightly control. It is without doubt that Republicans own most of
the companies that manufacture, sell, and service voting machines. And
President Bush and the Republican Congress appear determined to control and
limit oversight of the elections industry. The Bush Administration has
stacked the Election Assistance Commission with supporters of paperless
voting technology, while the National Institute of Standards and
Technology's (NIST) got walloped with a $22 million budget cut in fiscal
2004, which means that NIST will have to cut back substantially on its cyber
security work, as well as completely stop all work on voting technology for
the Help America Vote Act.

With no mandatory federal standards or certification in place and no funding
available, the Bush Administration and Republican-controlled Congress have
ensured that their friends in the elections industry maintain control of
voting technology and, in effect, election results.

So, at Friday's hearing, Republican members of the Commission of Civil
Rights decided that the issue of voting — the lynchpin of democracy — should
take a back seat to employee contract buyouts. Chairperson Mary Frances
Berry, a Professor of History and Adjunct Professor of Law, at the
University of Pennsylvania, decided to soldier on with the hearing.

And that's when the second big disappointment of the hearing became
apparent.  Some of America's largest civil rights organizations have lined
up with the Republicans on this subject. They support 'paperless' voting
technology. No fuss, no muss.

They are: Meg Smothers, Executive Director of the League of Women Voters of
Georgia, Wade Henderson, Executive Director of the Leadership Conference on
Civil Rights, Jim Dickson, Vice President, American Association of People
with Disabilities, and Larry Gonzalez, Director, National Association of
Latino Elected and Appointed Officials.

Only one panelist at Friday's hearing spoke out against paperless elections,
Dr. Rebecca Mercuri, one of the nation's leading experts on computer voting
security. It's a familiar muddle for Mercuri. Last year she was the only
election official kicked out of the annual conference of the International
Association of Clerks, Recorders, Election Officials, and Treasurers
(IACREOT). The complaint was that she wasn't really an election official,
which she really was.  So, it was perverse justice that at Friday's hearing
Mercuri found herself the only panelist invited in to defend the voter's
right to verify their own paper ballot.

Make that, "alleged" ballot. Since a machine-processed ballot can only
produce circumstantial evidence of the voter's intent. There was no one at
the hearing to represent the point of view that only voters have the right
to vote, not machines; that only voters can produce real evidence of their
own intent, not machines; and that with voting machines there is no
effective ability to discover vote fraud, no ability to enforce the Voting
Rights Act, no real integrity or security to the voting process, at all.

The hearing was a replay of many meetings this writer has attended on the
subject of voting machines. The focus was on regaining the voters' trust and
confidence in voting machines, while blaming poll workers for machine
"glitches" and malfunctions, and blaming the public for not being computer
savvy.

The overall request of the panelists was for increased education of poll
workers and the public.

Jim Dickson continued to insist that the blind could not vote without
touchscreen machines, despite the fact that the paper ballot template with
an audiocassette (a combination that is used in Rhode Island, Canada, and
around the world), is a simpler and easier solution. As I have written in
previous columns, if election officials want a fast ballot count, they can
limit the size of the voting precincts or increase the number of election
officials. If more elections officials are needed they can be drafted into
public service as is done all year around for jury duty. Likewise, voters
who don't understand English could order ballots in their own language in
advance of an election.

Then there was the incredulous argument put forward that voting machines
save money, as reports filter in that some communities already need to
replace their 3-year-old touchscreen voting machines due to rampant
equipment malfunctions, costly millions more in taxpayer dollars.

Most of the panelists insisted to Commission members that paperless
touchscreen technology is the best performing voting system. But, how could
they know?  And performing at what? Accuracy, accessibility, vulnerability?
What about performing under the U.S. Constitution and the law?

Incredibly, there has been no comparative study conducted of all voting
systems on any level. The lack of comprehensive studies or standards is an
issue that the General Accounting Office (GAO) complained about in an
October 2001 report. The GAO report states, "Voting machines do not have
effective standards...The standards are voluntary; states are free to adopt
them in whole, in part, or reject them entirely."

Forgetting for a moment about the Constitutional issue, even if there was a
comprehensive technical analysis of all voting systems, it is
"vulnerability" — the ease at which votes can be manipulated or lost --
that should trump concerns about accuracy and accessibility. Let's just
assume that picking up the phone and calling-in our votes was the most
accurate and accessible way to vote.  Can anyone reasonably argue that it
would be a secure voting method?

Logic dictates that even if lots of people incorrectly fill out their
ballots and lots of election officials incorrectly count up the ballots, the
ability to move massive numbers of votes through technology (whether
deliberately or by accident), cannot compare to simple ballot box stuffing
or similar petty election crimes.

Even when we do look at the limited studies done on technical performance
(overvotes and undervotes), voting machines take a back seat to hand marked,
cast, and counted paper ballots. The latest Massachusetts Institute of
Technology (MIT) study actually puts hand counted paper ballots at the top
of the list for voting system performance for overvotes and undervotes. "The
difference between the best performing and worst performing technologies is
as much as 2 percent of ballots cast. Surprisingly, (hand-counted) paper
ballots — the oldest technology — show the best performance." This is the
finding of two Massachusetts Institute of Technology (MIT) political science
professors, Dr. Stephen Ansolabehere and Dr. Charles Stewart III, in a
September 25, 2002 study entitled, Voting Technology and Uncounted Votes in
the United States. This study was an update of a previous CalTech/MIT study.

Some of the panelists misrepresented the results of the California Recall
election, once again claiming that touchscreens performed the best, when in
fact, they did no such thing.

Dr. Mercuri, who has extensively studied that particular election, says,
"Essentially, what the California Recall Election showed was that it was not
the type of (voting) system (that matters), in other words, DREs(direct
recording electronics)/touchscreen, optical scan, or punchcard, but rather
the models within each of the types that could be either good or bad. For
example, the second best performing system in terms of residual votes
(undervotes or overvotes) was actually one of the punchcard systems. But,
(it was) the type that sucks the chad out rather than leaves it hanging
there. Even within particular systems, it (performance) could also be good
or bad. For example, the Diebold touchscreen, which out-performed all of the
systems in the yes/no California Recall question, was the eighth worst in
the candidates selection. This demonstrates that it is inappropriate to
characterize an entire family of systems, or even a particular system, as
good or bad just on the basis of their type. Further research has been
needed for a long time on improving the usability of voting systems, but to
date, funding has been lacking in comparison with the purchasing
allocations."

Again, it doesn't take a PhD in computer science to conclude that vote fraud
or system failure in a machine-free election simply cannot compare to the
unlimited damage technology can do to the voting process. It is really a
question about how risk should be managed. Should the risk of election fraud
or system failure be spread out among millions of voters and thousands of
poll watchers, or should it be concentrated in the hands of a few
technicians - otherwise known as "putting all your eggs in one basket"?

On a personal note, having been informed by the Commission staff a few days
before the hearing about the composition of the panel, that the deck was
going to be stacked against voters and in favor of machines, I called and
offered to testify. As one of the lead journalists covering this subject, I
thought my contribution would help round out the testimony. Although my
offer was declined, a member of the Commission indicated that there might be
room for me at the next meeting, on May 17th. I sure hope so. Apparently,
that's when the voting machine manufacturers will be speaking.

Fundamentally, it doesn't really matter if corporations or government
officials control voting technology. The real issue is that 99.4% of
Americans aren't really voting, machines are. But, if C-SPAN covers the
hearing, perhaps the public will finally get the picture - that voting
machines aren't some passive technology designed to 'assist' with the voting
process. Instead, voting machines constitute a grab for power, a grab for
our votes. Having voting machine manufacturers appear before the Commission
could put a face on the farce that is voting in America today. And I'd sure
like to be there to help that process along.

Lynn Landes is the publisher of EcoTalk.org and a news reporter for DUTV in
Philadelphia, PA.  1-215-629-3553 lynnlandes@earthlink.net.


USB "square" plugs

<Henry Baker <hbaker1@pipeline.com>>
Thu, 15 Apr 2004 08:49:58 -0700

I just discovered to my dismay that the USB "square" plug _does_ plug in
backwards, although it requires a bit more pressure.  I also notice that
some manufacturers install the female connectors backwards, so that the
roundy side is down/back, rather than up/front.  Unless you actually look at
the plug before you put it in, this arrangement would lead you to install
the plug backwards.

So far, I haven't actually destroyed any equipment, but have cause a large
number of reboots until I discovered what the problem was.

BAD USER INTERFACE!


Re: Who's in charge of the e-mail virus war ... (Summit, RISKS 23.30)

<Steve Summit <scs@eskimo.com>>
Tue, 13 Apr 2004 12:54:12 -0400

In RISKS-23.30, I mused about whether easily clicked-to-execute attachments
had reached some kind of irreversible inevitability, and inquired of RISKS
readers whether we could do anything about the resulting virus infestation.
The response was gratifyingly quick and voluminous, and based on it I can
state a conclusion which is not quite so gratifying: there isn't much
consensus.

Several readers argued that combinations of existing strategies --
disallowing certain file types, scanning for known virus patterns,
correlating sending users and systems with DNS records, etc. — are
effective.  Some observed that it's an economic and/or political problem as
well as a technical one, and suggested that legal remedies might be
required.  Several more did agree that clickable executable attachments are
the root of the e-mail virus problem and that easy clickability for these
attachments must be specifically removed.  Others missed that point and
objected that users wouldn't tolerate losing *all* their clickable
attachments (i.e. including the non-executable, pure data ones).  But still
other readers advocated getting rid of all non-text attachments, clickable
or not.

Perhaps the largest class of responses pointed out various reasons why
disabling easily-clickable .exe attachments won't halt *all* e-mail viruses.
Some virus recipients will still be tricked into installing (or doing
whatever it takes to authorize) an executable attachment and running it
anyway.  Some non-directly-executable data types (such as Word documents and
Excel spreadsheets) can contain macros which can carry viruses.  In light of
these difficulties, some readers conclude that the problem is insoluble,
while others place their hopes in considerably more elaborate proposals,
such as strong sender authentication, or safe "sandboxes" for untrusted
code, or tiered capability-based execution environments, or a complete
overhaul and replacement of the entire SMTP-based e-mail infrastructure.

My purpose here was not to enter any debates about all the various proposals
which have been floated, but I will make the observation that we can't
afford to sit on our hands waiting for some evanescently perfect 100%
solution which either hasn't been invented yet, or would take years to
deploy.  The e-mail virus problem is *big*, so if we've got any workable
solutions that would "only" address 90% of the problem, those would be well
worth pursuing soon; they'd be an awful lot better than doing nothing.

In light of the varied responses I received, I'm less sure than I was that
focusing on easy clickability of executable attachments is the obvious
short-term approach.  But in closing, I must acknowledge David F. Skoll and
Erling Kristiansen, who both made the excellent point that, quite aside from
any technical solutions, we desperately need to work harder at educating
people that e-mail viruses are *not* inevitable, that they neither need to
be put up with nor merely reacted to.  It *is* possible to eradicate them,
mostly if not completely, proactively rather than reactively, and without
rendering e-mail (or even attachments) useless in the process.  Perhaps if
more users can be made aware of these facts, they'll insist that the
responsible vendors do something real, comply with some of these
suggestions, to eliminate the glaring, unnecessary, not-inevitable-after-all
vulnerabilities.


Radar guns, again

<Adam Shostack <adam@homeport.org>>
Sat, 10 Apr 2004 09:15:04 -0400

A Belgian motorist received a speeding ticket for traveling in his Mini at
three times the speed of sound.  The ticket claimed the man had been caught
driving at 3379 kph (2,100 mph) - or Mach 3 speed - in a Brussels suburb
according to Belgian newspaper La Derniere Heure.

The police claim that human error was to blame for sending out the ticket
and have since apologized to the man and promised to fix the radar.

(Interestingly, different newspapers report the ticket as being different
speeds.)

http://news.bbc.co.uk/2/hi/americas/3613715.stm
http://www.iol.co.za/index.php?click_id=29&art_id=iol1081526736236M522&set_id=1
http://www.dhnet.be/ (but I can't find the original article)

  [Suppose they had put a bounds check that was somewhat greater than
  maximum that any vehicle was capable of attaining, thus preventing the
  system from issuing tickets for such obviously ridiculous speeds.
  Unfortunately, then if the radar was the culprit rather than the software,
  the real speedsters would all get tickets for going exactly the same
  default speed of the bounds check.  PGN]

    [So the questions are: 1) what are the failure modes of these things,
    and 2) how often does the unit clock cars at mach 3?  Is it easier to
    filter the failure, or fix it?  Are failures often enough to bother
    fixing, or should we accept a silly-season story once in a while? Adam]


Wireless hacking

<"NewsScan" <newsscan@newsscan.com>>
Tue, 13 Apr 2004 06:54:28 -0700

Pointing to a rise in wireless hacking, security expert Joshua Wright of the
SANS Institute warns: "All the money you've spent to protect your corporate
network is moot if someone hacks your laptop at a wireless access point."
And Don LeBeau of security firm Aruba Wireless Networks says that at least
one Silicon Valley company suspected it was the target of corporate
espionage when it found an unauthorized device surreptiously establishing a
hot spot from a conference room. Shai Guday, group program manager for
wireless at Microsoft, urges companies to take the wireless hacking threat
seriously: "Wireless is happening. They can't bury their heads in the sand.
Wireless is great, but security is more important."  [*USA Today*, 13 Apr
2004; NewsScan Daily, 13 April 2004]
<http://www.usatoday.com/tech/wireless/data/2004-04-13-hackers-wireless_x.htm>


Citibank data compromised without using it?

<Art Mellor <art@scumpa.com>>
Sat, 10 Apr 2004 10:30:06 -0400

The other day I got a call from the Fraud Alert department at Citibank. When
I called, they informed me that my Citibank card had been compromised when
data was stolen from BJs (a big discount club like CostCo and Sam's). They
noted I had probably heard about this in the news (which I had).

They said they were cancelling my card for my protection, and issuing me a
new one. While I am a customer of BJs, I have never used my Citibank card
there. I exclusively use my Discover card. I asked how my credit card number
could be at BJs if I have never used it there. The service rep said that
maybe it was some other info that had been taken, such as my birth date,
SSN, etc.  When I asked how issuing me a new card would protect me given
that "they" already had my sensitive information, I was reprimanded for not
appreciating them doing all they could to protect my identity.

I told them to cancel the card, but not issue a new one - I'd use another
bank. I called Discover to ask if my information had been compromised, and
according to them, my information was not on the BJs list of compromised
accounts.

So what's going on here? Is there really some information that isn't the
card number that can compromise the card and by getting a new card make me
safe? Is Citibank pulling a scam to get me a new card with undoubtedly a new
set of conditions? Did Citibank share information including my card number
with BJs for some reason?

Art Mellor :   Support the Cure for MS    : http://www.scumpa.com/~art/
art@scumpa.com :  http://www.bostoncure.org   : 617/899-2360


Re: Chinooks again (Youngman, RISKS-23.31)

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Sat, 10 Apr 2004 07:44:37 +0200

Neil Youngman said in RISKS-23.31, concerning the recent purchase by the UK
MoD of Chinook helicopters, that are sitting on the ground because of severe
restrictions on flight, that

  The helicopters were supposed to be in service 6 years ago, but problems
  with radar systems, mean they can not fly in cloud.

This is an incorrect attribution of cause. As far as I know, there are no
indications of actual system problems. The cause of the flight restrictions
may be found in paragraphs 3.39-3.43 of the UK National Audit Office report
"Battlefield Helicopters", 7 April 2004, available from
  http://www.nao.org.uk/publications/nao_reports/03-04/0304486.pdf

The report says that problems with the Chinook HC3 procurement are fourfold:
1. There is a certification problem with the software.
2. The contract did not specify that all the military requirements should
   be fulfilled. It was assumed that certain capabilities could be
   retrofitted. They haven't all been, yet.
3. The HC3 has a unique configuration, necessitating additional testing.
4. Capabilities need to be enhanced to deal with a changing operational
   environment.

The NAO estimates an in-service date of at least mid-2007 for a machine at
least as capable as the current HC2/2a variant used by British forces,
providing additional funding (about 50% of procurement costs) is found.

The procurement contract apparently did not specify that the system software
documentation and code shall be analysed according to military procurement
standards on software integrity. It was apparently thought that an adequate
safety case could be constructed on the basis of similar systems procured by
the Royal Netherlands Air Force. This turned out not to be so.

There are two main reasons why an adequate safety case cannot easily be
constructed retrospectively. One is restricted access to the source code and
other development data. The other is that "legacy software is not amenable
to the techniques required to confirm the robustness of software design". It
is going to cost a lot and there is no guarantee of success.

"Consequently, the Chinook HC3 is currently restricted to day/night flying
above 500 feet in weather clear of cloud, and where the pilot can fly the
aircraft solely using external reference points without relying on the
flight displays.  These restrictions mean that the helicopters cannot be
used other than for limited flight trials." (NAO)

Thanks to David Tombs, of the University of Queensland, for the reference.

Peter B. Ladkin, University of Bielefeld, http://www.rvs.uni-bielefeld.de


REVIEW: "Ethics and Technology", Herman T. Tavani

<Rob Slade <rslade@sprint.ca>>
Mon, 12 Apr 2004 08:09:21 -0800

BKETHTCH.RVW   20031025

"Ethics and Technology", Herman T. Tavani, 2004, 0-471-24966-1, U$56.80
%A   Herman T. Tavani
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2004
%G   0-471-24966-1
%I   John Wiley & Sons, Inc.
%O   U$56.80 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471249661/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471249661/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471249661/robsladesin03-20
%P   344 p.
%T   "Ethics and Technology"

The preface states that this is a textbook on ethical issues in cyber
(computer and possibly communications) technology for computer
science, philosophy, sociology, and library science students.

Chapter one is an introduction to cyberethics, providing the concepts,
perspectives, and a methodological framework.  There is more detailed
examination of the structure of, and practical approach to, ethics
than in any other computer ethics book I've reviewed.  The questions
at the end of the chapter are mostly simple, but some call for
analysis and judgment.  Establishing a moral system, in chapter two,
contemplates using ethics to review consequences, dealing with duty-,
contract-, and character-based theories.  The material is detailed
but, disappointingly after the good start in chapter one, breaks no
new ground.  Critical thinking, logical argument, and the problems
with fallacious arguments are considered in chapter three.
Professional ethics are in chapter four.  Chapter five has a basic but
fairly complete review of privacy, better than some books on the topic
(although it does retail the data mining/diapers and beer myth).
Chapter six is a general introduction to security, with almost no
mention of ethics.  Cybercrime, in chapter seven, buys into the myth
of the "evil teenage genius," and, again, has almost no mention of
ethics.  Chapter eight's discussion of intellectual property deals
with ethics of copyright and related concepts, but is not as rigorous
as chapter one.  Regulation of cyberspace, in chapter nine, is
similar.  There is fairly standard coverage of equity, access, and
employment, in chapter ten, and community and identity, in eleven.

One could have hoped for a book that delivered on the promise of
chapter one, but, even without, this is a worthwhile addition to the
computer ethics bookshelf.

copyright Robert M. Slade, 2003   BKETHTCH.RVW   20031025


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

x
Top