Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
*The New York Times* lead editorial on 7 Nov 2004 is titled
``New Standards for Elections''.
"... the mechanics of our democracy remain badly flawed. From
untrustworthy electronic voting machines, to partisan secretaries of
state, to outrageously long lines at the polls, the election system was
far from what voters are entitled to."
Here is my PGN-ed summary of their recommendations:
1. Election day should be a holiday (rather than penalizing employees for
having to take time off to vote).
2. Early voting can allow people to vote when it is convenient for them.
3. Voter-verified audit trails, source code accessibility to election
officials, spot checks of code on Election Day (as is done in Nevada's
slot machines!)
4. Shorter lines at the polls, standards for numbers of voting machines and
poll workers.
5. Impartial election administrators, and restrictions on insiders endorsing
candidates.
6. Uniform and inclusive voter registration standards.
7. Accurate and transparent voting roll purges.
8. Uniform and voter-friendly standards for counting provisional ballots.
9. Upgraded voting machines and improved ballot design.
10. Fair and uniform voter ID rules.
11. An end to minority vote suppression, disenfranchisement, harassment,
dirty tricks.
12. Improved absentee ballot procedures, e.g., downloading absentee ballots
from the Internet, but avoiding the ballot-by-scan/fax/e-mail with
explicit loss of privacy.
The full editorial as well as the entire series can be found at
nytimes.com/makingvotescount .
For those of you interested in following a collection of reported problems
more carefully, here are just a few reported anomalies, collected from a
variety of sources:
* Palm Beach County logged 88,000 more votes than people who had voted in
the presidential race. (Teresa LePore of 2000 Butterfly Ballot fame is
the County supervisor of elections there.)
* A Franklin County Ohio machine error gave Bush 3,893 extra votes in a
precinct in Gahanna. The correct totals were 365 for Bush, 260 for Kerry.
* In Broward County FL, in balloting for Amendment 4, ES&S software for
tabulating absentee ballots began counting BACKWARDS once a total of
32,767 [2^15 - 1, in a signed 16-bit field] votes had been reached in a
precinct. When this was discovered, the corrected totals for the precinct
went from 166,000 to 240,000, and actually caused the statewide results to
be reversed on this amendment. Apparently the same flaw was detected two
years ago in the same software, and remained uncorrected.
Nick Simicich wondered in a long message to RISKS:
Do you suppose that they "fixed" this by making the 16 bit field
unsigned? Or do you suppose that they counted the numbers separately
using, say, floating point so that they could check the results for
large discrepancies? Or maybe that they checked the before and after to
see that the numbers increased when they added to them...or anything
else that they could do to make this self auditing? Nah...frankly, I'm
scared by the stupidity of this error. This is a problem that needs an
open source solution.
* The failure of the ES&S ranked-choice vote-counting software in the San
Francisco Supervisors' election that I noted in RISKS-23.58 turns out to
have been a hard-coded constant maximum number of voters that was set too
low. The fix was utterly trivial, but wisely required recertification by
the State. [Perhaps the same programmer wrote the Broward software?]
* Bev Harris reported that ``Jeff Fisher, the Democratic candidate for the
U.S. House from Florida's 16th District said he was waiting for the FBI to
show up. Fisher has evidence, he says, not only that the Florida election
was hacked, but of who hacked it and how... In Baker County, for example,
with 12,887 registered voters, 69.3% of them Democrats and 24.3% of them
Republicans, the vote was only 2,180 for Kerry and 7,738 for Bush.... Dick
Morris [famous consultant to both parties, now with Fox News] wrote "So,
according to ABC-TVs exit polls, for example, Kerry was slated to carry
Florida, Ohio, New Mexico, Colorado, Nevada, and Iowa.... Exit polls
cannot be as wrong across the board as they were on election night. I
suspect foul play." '' [See http://www.blackboxvoting.org , *NOT* .com]
* Incidentally, Ralph Barone noted an article on the internal database
structures of the Diebold voting machines, plus how to hack an election
and cover your trail afterwards.
http://www.blackboxvoting.com/scoop/S00065.htm
* There were numerous reports of screens "jumping" votes in ES&S and Hart
InterCivic machines, where casting a straight-party subsequently changes
the vote for the President before exiting.
* Also reported were many cases of long lines and long waits only in certain
politically skewed precincts, many legitimate voters who claim they were
disenfranchised, voters who were given special optical scan pens that were
not capable of being tallied, and so on.
Many Web sources provided running lists of reported anomalies, such as
http://www.votersunite.org
http://fairvote.org/easttowest.pdf
https://voteprotect.org
http://www.verifiedvoting.org/eirs/
http://www.electionprotection2004.org/coalition.htm
http://www.blackboxvoting.org
Eight eBay sellers who bid up products online to inflate their prices have been ordered by the New York Attorney General's office to pay almost $90,000 in restitution and fines. More than 120 people will receive money from the settlement of the three cases. One man will receive a check for $3,089 after overpaying for a 1999 Jeep Cherokee sport-utility vehicle he bought from an eBay seller in 2002. [*The Washington Post*, 7 Nov 2004; NewsScan Daily, 8 Nov 2004] http://www.washingtonpost.com/wp-dyn/articles/A32944-2004Nov7.html
Timothy L. O'Brien, (*The New York Times*, 24 Oct 2004) Pausing in the foyer of a comfortable suburban home two days before Halloween in 2002, Kevin Barrows, a special agent with the F.B.I., could not bring himself to open the front door. He and a team of agents had just spent several hours searching every room in the house, in New Rochelle, N.Y., but they were leaving empty-handed. Months of investigating had led Mr. Barrows to believe that someone was orchestrating a huge fraud from the house, yet he had not found a single scrap of evidence. Still, something bothered him about the furniture in one of the bedrooms. It seemed oddly oversized. So he headed back upstairs for a second look, and his attention focused on an expansive canopy over the bed. When he pushed at the draping, he found that it was weighed down with files. They contained reams of confidential financial information about hundreds of individuals whose identities had been pilfered in an intricate scheme that illicitly netted more than $50 million. Two years later, the New Rochelle home has emerged as a linchpin in what federal law enforcement authorities describe as the biggest case of identity theft ever uncovered in the United States. The scheme was essentially masterminded by just two people: Linus Baptiste, who lived in the house and had contacts with a sprawling ring of Nigerian street criminals, and Philip A. Cummings, his former brother-in-law, who worked as a help-desk clerk at a Long Island software company. At least 30,000 people nationwide were victimized, according to law enforcement authorities and court documents. ... http://www.nytimes.com/2004/10/24/business/yourmoney/24theft.html
Pirated copies of the sci-fi action title "Halo 2" and games such as "Grand Theft Auto: San Andreas" and "Half-Life 2" have been circulating on file-sharing networks, news groups and Web sites even before their official release to consumers. Brian Jarrard of Microsoft's Bungie Studio, which produced "Halo 2," complains: "You spend three years of your life pouring everything you have into this project, and then somebody gets their hands on the game and gives it away to the world for free. We made this, and these guys had no right to give it out to the public." Douglas Lowenstein, president of the Entertainment Software Association, admits: "The problem and challenge with piracy is that there are people out there on a worldwide basis who've identified piracy as a very profitable enterprise. You don't end this problem overnight." [AP 8 Nov 2004; NewsScan Daily, 8 Nov 2004] http://apnews.excite.com/article/20041108/D867MSU80.html
Wharton business professor Joel Waldfogel says the music industry is mistakenly pursuing a short-term strategy in backing the Inducing Infringement of Copyrights Act of 2004, which would hold liable any entity that "intentionally aids, abets, induces or procures" copyrighted material. Rather than fighting technological advances through litigation, the music industry must come up with new business models — for instance, taking advantage of the Internet to slash its distribution costs. "Instead of putting out CDs and shipping them on trucks, they can send them directly at a very low cost. That does suggest a very different business model than charging $15 or $20 for a CD. It might be a much more attractive way to do things. Stuff that is easy to distribute wants to be free. Given that force, I think [the recording industry] needs to come up with a new model for generating income," says Waldfogel. [Knowledge@Wharton, Oct 20-Nov 2 2004; NewsScan Daily, 25 Oct 2004] http://knowledge.wharton.upenn.edu/index.cfm?fa=viewArticle&id=1066
The UK's BBC Breakfast news reported a security issue with the Cahoot Internet bank. Apparently due to a recent system upgrade 12 days ago it was possible to access other users' accounts with only their user ID (normally, a password and set of "memorable information" is required before access is granted). The report did not reveal the full details for obvious reasons, but implied that it was necessary to know the user's login name, which certainly for other banks is not directly related to the user's name. It was also confirmed by Cahoot that it would not be possible to transfer any money without knowledge of the password and memorable information. Cahoot reacted promptly when the issue was confirmed, closing the site for ten hours while the cause was investigated and resolved. The system is now up and running and the vulnerability has been removed. Although no financial loss was possible, this was a serious confidentiality breach albeit mitigated by ease of access to the user's login name. Needless to say the bad publicity will probably cause confidence problems for Cahoot and other online banks. Lessons to be learned include the need for comprehensive regression testing of security after system upgrades, and the difficulty in bolting on session security to web-based systems. Full details are on the BBC's web site at http://news.bbc.co.uk/1/hi/programmes/breakfast/3984641.stm Surprisingly, Cahoot have no statement on their site regarding the issue. The FAQ on "Security" states "However, we can reassure you that the site is tested regularly by independent security experts who are satisfied that the site is secure". [Also noted by Michael Bacon. PGN]
The Australian bank Westpac decided to implement its promised security upgrade to their internet banking service on the weekend, only to have something go wrong and lockout thousands of customers (I would know as my Dad called me not long after I had the same problem.) As their support line is only open 8am to 5pm during the week there was no one I could call to report the problem. When I rang this morning there was a recorded message regarding the problem with the service (I suspect they had to put it up or else their support line would be flooded.) They tout their online banking service as being 24/7, but if they don't have the support to go with it, what is the use of having it? Also, if they were going to require a change of passwords for a system upgrade, I think they should have sent a message out by mail at least two weeks in advance. At least I haven't had any money stolen from me via the online banking service like what happened to service National Australia Bank customers last year. Tim Chmielewski Webmaster, Human Edge Software http://www.humanedge.biz
Re: Do vendors read their own security policies? <jmeissen@aracnet.com> I get frequent mailings from two Dutch banks, who apparently use the same PR company to send out their mailings. Both the mailings and the URLs (for special offers) refer to sites *not* under the control of the bank.
>And then there's the story (perhaps an urban legend) about people mailing >supposedly-defective electronic toll tokens back to the issuing highway >authority, and being billed for the tollbooths the mail truck passed >through... It's well documented. E-ZPass toll transponders contain a battery which eventually wears out, so every few years they send you a new pass and tell you return the old one. They provide a conductive bag that prevents the pass from responding, but a certain number of people don't bother to put the pass in the bag and it gets read on the way to the service center. The specific cases I've heard about were on the NJ Turnpike on the way to the Staten Island service center, but since all of the E-ZPass centers are close to the roads or bridges they serve, it happens all the time. [Yes. Paul Schreiber notes Susan Landau's item in RISKS-23.01 on this very subject. Sorry I neglected to interject that. PGN]
Since 1996, when the UK changed it's 'daylight saving' schedule to be in line with continental Europe, it's always been the last Sunday of March and October when this change occurs. That was 8 years ago! http://wwp.greenwichmeantime.com/time-zone/rules/eu.htm http://www.nmm.ac.uk/site/request/setTemplate:singlecontent/contentTypeA/conWebDoc/contentId/344 The risk seems to be people 'interpreting' the 'last Sunday' to mean the 'fourth Sunday', and not taking into account a month with 5 Sundays... Martin Hepworth, Senior Systems Administrator, Solid State Logic Ltd tel: +44 (0)1865 842300
[...] The BST to GMT switch happened on the 5th Sunday of October in 1950, 1961, 1967, 1971, 1972, 1978, 1989, 1999, and 2000. (Source: http://wwp.greenwichmeantime.com/info/bst2.htm) Mike Causer http://www.mikecauser.com mikec@mikecauser.com
> But is the Windows operating system really reliable and secure enough for > these kinds of applications? Apple is missing out on a huge market here by not allowing their OS to run on other vendors' hardware. Nobody's going to buy a Mac to run an ATM or a cash register, but they might buy the OS if they thought it would work better.
To be fair to John Deere, as far as I can tell this particular robot is intended to be used purely for surveillance and will not have offensive capabilities. But Edward Nilges is still correct in his analysis of the risks of offensive robots. I especially agree with the analogy to land mines. I recall a science fiction story from nearly 50 years ago that warned of the problems of a killer robot still searching for targets long after the war had happened. Perhaps we should insist that everyone in the Pentagon read old SF? Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/
The October issue of Cryptologia has a review of "Malicious Cryptography: Exposing Cryptovirology" by Adam L. Young and Moti Yung, about the use of cryptography by crackers.
Please report problems with the web pages to the maintainer