Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23: Issue 59

Monday 8 November 2004

Contents

New Standards for Elections

NYT editorial summarized by PGN

Some 2004 voting anomalies

Bidding up prices on online auctions

NewsScan

Identities stolen in seconds

Timothy L. O'Brien via Monty Solomon

Pirates see video games before paying customers do

NewsScan

Music industry on the wrong course

NewsScan

Cahoot online banking security issue

Nik Barron

Westpac Internet Banking problems

Tim Chmielewski

Banks and their marketing/PR departments

Henk Langeveld

Re: TV emits international distress signal

John Levine

Re: Clocks set back a week too early

Martin Hepworth
Mike Causer

Re: Is Windows up to snuff for running our world?

Ron Bean

Re: Battlefield Robotics are risk to the world public

Geoff Kuenning

Book on malicious cryptography

J.H. Haynes

Info on RISKS (comp.risks)

New Standards for Elections

<"Peter G. Neumann" <neumann@csl.sri.com>>

Sun, 7 Nov 2004 9:45:22 PST

*The New York Times* lead editorial on 7 Nov 2004 is titled
``New Standards for Elections''.

  "... the mechanics of our democracy remain badly flawed.  From
  untrustworthy electronic voting machines, to partisan secretaries of
  state, to outrageously long lines at the polls, the election system was
  far from what voters are entitled to."

Here is my PGN-ed summary of their recommendations:

1. Election day should be a holiday (rather than penalizing employees for
   having to take time off to vote).

2. Early voting can allow people to vote when it is convenient for them.

3. Voter-verified audit trails, source code accessibility to election
   officials, spot checks of code on Election Day (as is done in Nevada's
   slot machines!)

4. Shorter lines at the polls, standards for numbers of voting machines and
   poll workers.

5. Impartial election administrators, and restrictions on insiders endorsing
   candidates.

6. Uniform and inclusive voter registration standards.

7. Accurate and transparent voting roll purges.

8. Uniform and voter-friendly standards for counting provisional ballots.

9. Upgraded voting machines and improved ballot design.

10. Fair and uniform voter ID rules.

11. An end to minority vote suppression, disenfranchisement, harassment,
    dirty tricks.

12. Improved absentee ballot procedures, e.g., downloading absentee ballots
    from the Internet, but avoiding the ballot-by-scan/fax/e-mail with
    explicit loss of privacy.

The full editorial as well as the entire series can be found at
nytimes.com/makingvotescount .

Some 2004 voting anomalies

<"Peter G. Neumann" <neumann@csl.sri.com>>

Mon, 8 Nov 2004 16:01:13 PST

For those of you interested in following a collection of reported problems
more carefully, here are just a few reported anomalies, collected from a
variety of sources:

* Palm Beach County logged 88,000 more votes than people who had voted in
  the presidential race.  (Teresa LePore of 2000 Butterfly Ballot fame is
  the County supervisor of elections there.)

* A Franklin County Ohio machine error gave Bush 3,893 extra votes in a
  precinct in Gahanna.  The correct totals were 365 for Bush, 260 for Kerry.

* In Broward County FL, in balloting for Amendment 4, ES&S software for
  tabulating absentee ballots began counting BACKWARDS once a total of
  32,767 [2^15 - 1, in a signed 16-bit field] votes had been reached in a
  precinct.  When this was discovered, the corrected totals for the precinct
  went from 166,000 to 240,000, and actually caused the statewide results to
  be reversed on this amendment.  Apparently the same flaw was detected two
  years ago in the same software, and remained uncorrected.
  Nick Simicich wondered in a long message to RISKS:
    Do you suppose that they "fixed" this by making the 16 bit field
    unsigned?  Or do you suppose that they counted the numbers separately
    using, say, floating point so that they could check the results for
    large discrepancies?  Or maybe that they checked the before and after to
    see that the numbers increased when they added to them...or anything
    else that they could do to make this self auditing?  Nah...frankly, I'm
    scared by the stupidity of this error.  This is a problem that needs an
    open source solution.

* The failure of the ES&S ranked-choice vote-counting software in the San
  Francisco Supervisors' election that I noted in RISKS-23.58 turns out to
  have been a hard-coded constant maximum number of voters that was set too
  low.  The fix was utterly trivial, but wisely required recertification by
  the State.  [Perhaps the same programmer wrote the Broward software?]

* Bev Harris reported that ``Jeff Fisher, the Democratic candidate for the
  U.S. House from Florida's 16th District said he was waiting for the FBI to
  show up.  Fisher has evidence, he says, not only that the Florida election
  was hacked, but of who hacked it and how... In Baker County, for example,
  with 12,887 registered voters, 69.3% of them Democrats and 24.3% of them
  Republicans, the vote was only 2,180 for Kerry and 7,738 for Bush.... Dick
  Morris [famous consultant to both parties, now with Fox News] wrote "So,
  according to ABC-TVs exit polls, for example, Kerry was slated to carry
  Florida, Ohio, New Mexico, Colorado, Nevada, and Iowa.... Exit polls
  cannot be as wrong across the board as they were on election night. I
  suspect foul play." ''  [See http://www.blackboxvoting.org , *NOT* .com]

* Incidentally, Ralph Barone noted an article on the internal database
  structures of the Diebold voting machines, plus how to hack an election
  and cover your trail afterwards.
    http://www.blackboxvoting.com/scoop/S00065.htm

* There were numerous reports of screens "jumping" votes in ES&S and Hart
  InterCivic machines, where casting a straight-party subsequently changes
  the vote for the President before exiting.

* Also reported were many cases of long lines and long waits only in certain
  politically skewed precincts, many legitimate voters who claim they were
  disenfranchised, voters who were given special optical scan pens that were
  not capable of being tallied, and so on.

Many Web sources provided running lists of reported anomalies, such as
  http://www.votersunite.org
  http://fairvote.org/easttowest.pdf
  https://voteprotect.org
  http://www.verifiedvoting.org/eirs/
  http://www.electionprotection2004.org/coalition.htm
  http://www.blackboxvoting.org

Bidding up prices on online auctions

<"NewsScan" <newsscan@newsscan.com>>

Mon, 08 Nov 2004 07:57:29 -0700

Eight eBay sellers who bid up products online to inflate their prices have
been ordered by the New York Attorney General's office to pay almost $90,000
in restitution and fines. More than 120 people will receive money from the
settlement of the three cases. One man will receive a check for $3,089 after
overpaying for a 1999 Jeep Cherokee sport-utility vehicle he bought from an
eBay seller in 2002.  [*The Washington Post*, 7 Nov 2004; NewsScan Daily, 8
Nov 2004]
  http://www.washingtonpost.com/wp-dyn/articles/A32944-2004Nov7.html

Identities stolen in seconds

<Monty Solomon <monty@roscom.com>>

Sun, 24 Oct 2004 03:51:42 -0400

Timothy L. O'Brien, (*The New York Times*, 24 Oct 2004)

Pausing in the foyer of a comfortable suburban home two days before
Halloween in 2002, Kevin Barrows, a special agent with the F.B.I., could not
bring himself to open the front door. He and a team of agents had just spent
several hours searching every room in the house, in New Rochelle, N.Y., but
they were leaving empty-handed.  Months of investigating had led Mr. Barrows
to believe that someone was orchestrating a huge fraud from the house, yet
he had not found a single scrap of evidence.

Still, something bothered him about the furniture in one of the bedrooms. It
seemed oddly oversized. So he headed back upstairs for a second look, and
his attention focused on an expansive canopy over the bed. When he pushed at
the draping, he found that it was weighed down with files. They contained
reams of confidential financial information about hundreds of individuals
whose identities had been pilfered in an intricate scheme that illicitly
netted more than $50 million.

Two years later, the New Rochelle home has emerged as a linchpin in what
federal law enforcement authorities describe as the biggest case of identity
theft ever uncovered in the United States. The scheme was essentially
masterminded by just two people: Linus Baptiste, who lived in the house and
had contacts with a sprawling ring of Nigerian street criminals, and Philip
A. Cummings, his former brother-in-law, who worked as a help-desk clerk at a
Long Island software company. At least 30,000 people nationwide were
victimized, according to law enforcement authorities and court documents.
...
  http://www.nytimes.com/2004/10/24/business/yourmoney/24theft.html

Pirates see video games before paying customers do

<"NewsScan" <newsscan@newsscan.com>>

Mon, 08 Nov 2004 07:57:29 -0700

Pirated copies of the sci-fi action title "Halo 2" and games such as "Grand
Theft Auto: San Andreas" and "Half-Life 2" have been circulating on
file-sharing networks, news groups and Web sites even before their official
release to consumers. Brian Jarrard of Microsoft's Bungie Studio, which
produced "Halo 2," complains: "You spend three years of your life pouring
everything you have into this project, and then somebody gets their hands on
the game and gives it away to the world for free. We made this, and these
guys had no right to give it out to the public." Douglas Lowenstein,
president of the Entertainment Software Association, admits: "The problem
and challenge with piracy is that there are people out there on a worldwide
basis who've identified piracy as a very profitable enterprise. You don't
end this problem overnight."  [AP 8 Nov 2004; NewsScan Daily, 8 Nov 2004]
  http://apnews.excite.com/article/20041108/D867MSU80.html

Music industry on the wrong course

<"NewsScan" <newsscan@newsscan.com>>

Mon, 25 Oct 2004 08:01:44 -0700

Wharton business professor Joel Waldfogel says the music industry is
mistakenly pursuing a short-term strategy in backing the Inducing
Infringement of Copyrights Act of 2004, which would hold liable any entity
that "intentionally aids, abets, induces or procures" copyrighted material.
Rather than fighting technological advances through litigation, the music
industry must come up with new business models -- for instance, taking
advantage of the Internet to slash its distribution costs. "Instead of
putting out CDs and shipping them on trucks, they can send them directly at
a very low cost. That does suggest a very different business model than
charging $15 or $20 for a CD. It might be a much more attractive way to do
things. Stuff that is easy to distribute wants to be free. Given that force,
I think [the recording industry] needs to come up with a new model for
generating income," says Waldfogel.  [Knowledge@Wharton, Oct 20-Nov 2 2004;
NewsScan Daily, 25 Oct 2004]
  http://knowledge.wharton.upenn.edu/index.cfm?fa=viewArticle&id=1066

Cahoot online banking security issue

<Nik Barron <Nik.Barron@pennantplc.co.uk>>

Fri, 5 Nov 2004 08:23:15 -0000

The UK's BBC Breakfast news reported a security issue with the Cahoot
Internet bank. Apparently due to a recent system upgrade 12 days ago it was
possible to access other users' accounts with only their user ID (normally,
a password and set of "memorable information" is required before access is
granted).

The report did not reveal the full details for obvious reasons, but implied
that it was necessary to know the user's login name, which certainly for
other banks is not directly related to the user's name. It was also
confirmed by Cahoot that it would not be possible to transfer any money
without knowledge of the password and memorable information.

Cahoot reacted promptly when the issue was confirmed, closing the site for
ten hours while the cause was investigated and resolved. The system is now
up and running and the vulnerability has been removed.

Although no financial loss was possible, this was a serious confidentiality
breach albeit mitigated by ease of access to the user's login name. Needless
to say the bad publicity will probably cause confidence problems for Cahoot
and other online banks. Lessons to be learned include the need for
comprehensive regression testing of security after system upgrades, and the
difficulty in bolting on session security to web-based systems.

Full details are on the BBC's web site at
http://news.bbc.co.uk/1/hi/programmes/breakfast/3984641.stm

Surprisingly, Cahoot have no statement on their site regarding the issue.
The FAQ on "Security" states "However, we can reassure you that the site is
tested regularly by independent security experts who are satisfied that the
site is secure".

  [Also noted by Michael Bacon.  PGN]

Westpac Internet Banking problems

<"Tim Chmielewski" <tim@humanedge.biz>>

Mon, 8 Nov 2004 08:19:12 +1100

The Australian bank Westpac decided to implement its promised security
upgrade to their internet banking service on the weekend, only to have
something go wrong and lockout thousands of customers (I would know as my
Dad called me not long after I had the same problem.)

As their support line is only open 8am to 5pm during the week there was no
one I could call to report the problem. When I rang this morning there was a
recorded message regarding the problem with the service (I suspect they had
to put it up or else their support line would be flooded.)

They tout their online banking service as being 24/7, but if they don't have
the support to go with it, what is the use of having it?

Also, if they were going to require a change of passwords for a system
upgrade, I think they should have sent a message out by mail at least two
weeks in advance.

At least I haven't had any money stolen from me via the online banking
service like what happened to service National Australia Bank customers last
year.

Tim Chmielewski  Webmaster, Human Edge Software  http://www.humanedge.biz

Banks and their marketing/PR departments

<Henk Langeveld <hlangeveld@mailworks.org>>

Fri, 05 Nov 2004 11:42:55 +0100

Re: Do vendors read their own security policies? <jmeissen@aracnet.com>

I get frequent mailings from two Dutch banks, who apparently use the same PR
company to send out their mailings.  Both the mailings and the URLs (for
special offers) refer to sites *not* under the control of the bank.

Re: TV emits international distress signal (Hogsett, RISKS-23.57)

<John Levine <johnl@iecc.com>>

5 Nov 2004 00:43:55 -0000

>And then there's the story (perhaps an urban legend) about people mailing
>supposedly-defective electronic toll tokens back to the issuing highway
>authority, and being billed for the tollbooths the mail truck passed
>through...

It's well documented.  E-ZPass toll transponders contain a battery which
eventually wears out, so every few years they send you a new pass and tell
you return the old one.  They provide a conductive bag that prevents the
pass from responding, but a certain number of people don't bother to put the
pass in the bag and it gets read on the way to the service center.  The
specific cases I've heard about were on the NJ Turnpike on the way to the
Staten Island service center, but since all of the E-ZPass centers are close
to the roads or bridges they serve, it happens all the time.

  [Yes.  Paul Schreiber notes Susan Landau's item in RISKS-23.01 on this
  very subject.  Sorry I neglected to interject that.  PGN]

Re: Clocks set back a week too early (RISKS-23.58)

<Martin Hepworth <martinh@solid-state-logic.com>>

Fri, 05 Nov 2004 10:04:27 +0000

Since 1996, when the UK changed it's 'daylight saving' schedule to be in
line with continental Europe, it's always been the last Sunday of March and
October when this change occurs. That was 8 years ago!

http://wwp.greenwichmeantime.com/time-zone/rules/eu.htm

http://www.nmm.ac.uk/site/request/setTemplate:singlecontent/contentTypeA/conWebDoc/contentId/344

The risk seems to be people 'interpreting' the 'last Sunday' to mean the
'fourth Sunday', and not taking into account a month with 5 Sundays...

Martin Hepworth, Senior Systems Administrator, Solid State Logic Ltd
tel: +44 (0)1865 842300

---

Re: Clocks set back a week too early (RISKS-23.58)

<Mike Causer <mikec@mikecauser.com>>

Fri, 5 Nov 2004 18:34:30 +0000

[...]  The BST to GMT switch happened on the 5th Sunday of October in 1950,
1961, 1967, 1971, 1972, 1978, 1989, 1999, and 2000.  (Source:
http://wwp.greenwichmeantime.com/info/bst2.htm)

Mike Causer  http://www.mikecauser.com  mikec@mikecauser.com

Re: Is Windows up to snuff for running our world? (Smith, RISKS-23.58)

<rbean@shell.core.com (Ron Bean)>

Sat, 6 Nov 2004 23:08:57 -0500

> But is the Windows operating system really reliable and secure enough for
> these kinds of applications?

Apple is missing out on a huge market here by not allowing their OS to run
on other vendors' hardware. Nobody's going to buy a Mac to run an ATM or a
cash register, but they might buy the OS if they thought it would work
better.

Re: Battlefield Robotics are risk to the world public (RISKS-23.58)

<Geoff Kuenning <geoff@cs.hmc.edu>>

04 Nov 2004 23:40:42 +0100

To be fair to John Deere, as far as I can tell this particular robot is
intended to be used purely for surveillance and will not have offensive
capabilities.  But Edward Nilges is still correct in his analysis of the
risks of offensive robots.  I especially agree with the analogy to land
mines.

I recall a science fiction story from nearly 50 years ago that warned of the
problems of a killer robot still searching for targets long after the war
had happened.  Perhaps we should insist that everyone in the Pentagon read
old SF?

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/

Book on malicious cryptography

<jhhaynes@earthlink.net>

Sat, 6 Nov 2004 15:43:06 -0600 (CST)

The October issue of Cryptologia has a review of "Malicious Cryptography:
Exposing Cryptovirology" by Adam L. Young and Moti Yung, about the use of
cryptography by crackers.

Report problems with the web pages to the maintainer