Source: Le Monde, 30 October 2003, http://www.lemonde.fr/txt/article/0,1-0@2-3228,36-340095,0.html Spiders are not new to the RISKS bestiary (see 18.46 and 18.58) but I don't recall seeing this particular issue. On 28 Oct 2003, the local listeners of two national radio stations were surprised to hear that it was snowing in Dinard. That's a town in Brittany, which has a mild oceanic climate; snow in October would be exceptional. The error, corrected after half an hour, was due to early-morning frost on the web woven by a spider on one of the weather station's sensors. "The computer" interpreted frost as snow, enabling the regional management of Meteo France to claim that the sensor functioned correctly. (It did detect the frost!) They added that that the system has been working "perfectly" since its installation, to the great satisfaction of its users. Before that system was put in place, the airport employed three people to gather weather data. They have now been replaced by sensors. The resulting information, collected 24x7, is updated every 30 minutes and made publicly available, in particular for pilots. Daytime weather reports are checked by a human, but not those issued at night. Bertrand Meyer, ETH, Zurich http://se.inf.ethz.ch Eiffel Software, Santa Barbara http://www.eiffel.com [Subject line PGN-spun]
A punter [US: gambler] collected AUD$2.6 million after a TAB operator incorrectly entered his trifecta bet on the 2003 Melbourne Cup, Australia's most prestigious horse-race. It seems this system offers the punter the choice as to whether their bets are read back to them. He phoned in a $6 trifecta 20 times for the winning combination of the Melbourne Cup. However, the TAB operator mistakenly entered the bet 203 times, resulting in the huge windfall. He had elected not to have the bets read back and was unaware of the error at the time. On discovering the windfall in his bank account, he called the TAB, expecting this to have been a mistake. The TAB rules state that if you do not have your bets read back to you, you are forced to honor the bet, win or lose. So, he was forced to accept the winnings! Quite a remarkable tale! [PGN-ed]
The *Indianapolis Star* http://www.indystar.com/articles/6/091021-1006-009.htm reported on the latest case of anomalous e-voting results. Last Tuesday's Boone County election, using MicroVote software returned about 144,000 votes, with only 19,000 registered voters. After further review, the 5,352 votes were claimed to have been recorded. With yet another mistake, does anyone still trust closed-source electronic voting? [PGN-ed] [http://yro.slashdot.org/article.pl?sid=03/11/12/1320208 It's interesting to wonder what might have happened if the initial inaccurate result had not been so glaringly obvious ...
According to an article in the Newark NJ *Star-Ledger*, the town of Southington, CT was testing the Avante International Vote-Trakker machine in an actual election. It had a special feature which displays a printout of the cast vote for voter confirmation. This feature was nullified by the registrar who refused to do anything about a voter's claim her confirmation printout didn't match her vote. http://www.nj.com/search/index.ssf ?/base/news-11/1068444794272720.xml?starledger?ntop
While the reported problem in Alameda County was that uncertified software was loaded into the voting terminals, this is really far more serious. The security of Diebold's touch-screen voting system is so weak that someone outside of Alameda County's election office (someone working for Diebold) had access to make unauthorized changes to the vote-counting software. David E. Ross <http://www.rossde.com/>
The *Los Angeles Times* today has an article relating to Diebold's Accuvote touchscreen voting machines, by Allison Hoffman and Tim Reiterman, entitled "Secretary of State Orders Audit of All Counties' Voting Systems: Review of upgraded touchscreen software leads to discovery that two registrars installed it without state's OK." Los Angeles Registrar Conny McCormack is quoted as saying, "All of us have made changes to our software — even major changes — and none of us have gone back to the secretary of state. But it was no secret we've been doing this all along. [Secretary of State Kevin Shelley] knew we were making changes." http://www.latimes.com/news/local/la-me-voting13nov13,1,531224.story ?coll=la-headlines-california Shelley's news release announcing the investigation is online at http://www.ss.ca.gov/executive/press_releases/2003/03_100.pdf It must be noted (by PGN) that the Federal Election Commission standards against which these systems have been certified are so weak that all sorts of serious problems can remain despite certification. But patching is apparently commonplace AFTER certification. In some cases, the software actually has to be CHANGED to accommodate each different ballot face, and think of what Trojan horses might be able to sneak in as a result of that!
It's worth remembering that mechanical voting machines have their own risks. The "programming" of the traditional lever machines still used in New York is an arcane art, and in some ways less susceptible to auditing than electronic machines — each machine is set up individually, so every machine is in some sense configured independently. The write-in mechanisms are, to say the least, arcane, and it's very hard for election officials to read votes scrawled in a too-small space, with a blunt pencil, written at an improbable angle. (In my town a few years ago, there was a massive (and successful) write-in campaign a few years ago, when it was discovered that only three candidates were running for the three vacant seats on the school board and one of the three was from a seriously fringe party.) Me — I avoided my county's touch screen machines by voting absentee — I was out of down last Tuesday, which let me qualify for a mark sense ballot. Of course, I have no idea if it was actually readable, since there was no check machine in the county clerk's office...
(From EPIC Alert 10.23:) The Congressional Research Service (CRS) of the Library of Congress has presented to Congress a report entitled, "Election Reform and Electronic Voting Systems: Analysis of Security Issues." The report was written in response to rising concern and questions regarding new electronic voting systems after recent allegations that these systems use software that is subject to alarming security vulnerabilities. The report analyzes the controversy surrounding direct recording electronic (DRE) voting machines - the first fully computerized voting system - while putting it in the larger context of election practices and voting machine development. It details the types of threats and vulnerabilities that could jeopardize the voting process, as well as the specific complaints broached by security experts. While the CRS took pains not to take a position in the debate, it does recognize that recent analysis demonstrates the existence of security flaws in DREs, which are cause for concern. As the report states, "at least some current DREs clearly exhibit security vulnerabilities. Those vulnerabilities pose potential ... risks to the integrity of elections." It goes on to list a number of different proposals being advocated to address these vulnerabilities, including ensuring that security protocols are followed, improving the standards and certification process for voting machines, use of open source computer code, and improvements in verifiability and transparency. The last point is one that computer scientists and voting activists have been pushing for, specifically by requiring voter-verifiable paper print-outs of vote selection for voters to review. The CRS stops short of issuing any recommendations, but does indicate that further investigation and action should be taken regarding this matter. The CRS Report on electronic voting is available at: http://www.epic.org/privacy/voting/crsreport.pdf For background information, see EPIC's Voting page at: http://www.epic.org/privacy/voting
The Register (http://www.theregister.co.uk/content/69/33858.html) has been reporting a Belkin wireless router which, once every 8 hours, picks an HTTP request and redirects it to a web page advertising Belkin's parental-control system. Belkin seem to have now (http://www.theregister.co.uk/content/6/33918.html) promised a firmware upgrade which disables this feature. How many people will install it is another question. Other than the obvious offensiveness of this kind of thing, there are horrible dangers involved. I could be half way through some transaction over the web, and have my *router* unilaterally, decide to redirect my requests somewhere else. Worse, a *program* could be doing it, and it might not even spot that something odd had happened. Any cache this side of the router will get randomly poisoned, and so on. This is just a stupid, dangerous thing to do. Together with the recent Verisign `Site Finder' service reported in RISKS-22.91, this seems to be the beginning of something new and, I think, worrying: important protocols (such as routing or DNS) are being usurped to sell advertising. Both of the cases mentioned here are sufficiently clumsy that they're likely to have hurt the usurper more than the users of these protocols, but I suspect things will be more subtle and insidious in due course. There's nothing wrong with advertising as such, but if it results in an infrastructure where no one can trust anything to actually work the way it is meant to, I think there's a significant problem.
Chips in Fish Help Net Australian Cod Poachers, 6 Nov 2003 http://story.news.yahoo.com/news ?tmpl=story&cid=1516&ncid=1516&e=5&u= /afp/20031106/od_afp/australia_fish_offbeat_031106194455 Australian fisheries investigators have wrapped up [with fish wrap?] an illegal poaching operation after inserting microchips into fish then tracking them to the culprits' freezer, officials said. Victoria state Fisheries Minister Bob Cameron said the hi-tech sting began when officers in his department found an illegal fishing net in a creek in the state's northwest. The officers inserted microchips under the skin of the golden perch and murray cod caught in the net then returned them and waited for the poachers to turn up. The fish had disappeared a day later and when officers stopped the poachers' vehicle they could find no trace of the animals. However, a subsequent search of their home uncovered fillets in the freezer, complete with microchips still emitting signals to the fisheries officers' tracking devices. [...] [Thus restoring cod peace to its perch in the "inter" net? PGN]
Minnesota has a large database of millions of records of police activity and incident data compiled on its citizens. The data is not owned by the government but an extra-legal private entitity, the Minnesota Chiefs of Police Association. This alone is scary, no recourse for inaccuracy, no way to assure data is not leaked or used for political or commercial purposes. News articles show it may have been used in political demonstrations to target citizens. Good "death squad" database. It was also hacked by an unidentified whistleblower who gave State Representative Mary Liz Holberg supposedly private data about herself. The cops are pressuring the Representative to turn over the whistleblower for prosecution, but the Representative has not yet squealed. This incident caused the system to be shut down. Google search on CriMNet or MJNO to get more articles. [The Internetted system is of course thought to be secure because it is password protected! There's a LONG article by Patrick Howe. PGN] http://www.twincities.com/mld/pioneerpress/news/politics/7154217.htm
A little-noticed measure approved by both the House and Senate would significantly expand the FBI's power to demand financial records, without a judge's approval, from securities dealers, currency exchanges, car dealers, travel agencies, post offices, casinos, pawnbrokers and any other institution doing cash transactions with "a high degree of usefulness in criminal, tax or regulatory matters." [Source: Eric Lichtblau, *The New York Times*, 12 Nov 2003; PGN-ed] http://www.nytimes.com/2003/11/12/politics/12RECO.html
Don Campbell, USA Today, 10 Nov 2003 Too many of us [accept] the argument that the concept of personal privacy in the Internet era is as outdated as the Model T. Americans can get pretty upset about the ways in which modern technology drives us nuts - such as telemarketers who disrupt our dinner and spam e-mailers who make pornographic sales pitches. But a more insidious invasion of Americans' privacy quietly has taken root in Florida. It has received little attention from the media except in Florida and a handful of other states being recruited to join the enterprise. The project underscores how our fascination with technology blinds us to violations of our privacy - and highlights the inadequacy of today's mishmash of federal and state privacy laws. "MATRIX," an acronym for Multistate Anti-Terrorist Information Exchange, is, according to its creator, the largest database on the planet, with more than 20 billion records. Working with the Florida Department of Law Enforcement (FDLE) and $12 million in federal funding, a company called Seisint designed MATRIX with the objective of compiling an electronic dossier on every citizen in the nation. Not surprisingly, the cover story is that MATRIX is needed to fight terrorism. If that doesn't ping the strings of your patriotic heart, it's also being touted as the cat's meow when it comes to catching kidnappers and child molesters. ... http://www.usatoday.com/news/opinion/editorials/2003-11-10-campbell_x.htm
I am not in France at the moment, but I need to order telephone service in France, so I went to France Telecom's web site, which advertises itself as secure. One eventually finds a button for the order page: a popup window with minimal decoration and no outward indication of security — that is, no "locked/unlocked" symbol. The page asks for exactly the kind of information you don't want to become public, including bank details, etc. It isn't secured. The information isn't encrypted before being sent. I informed France Telecom of this by e-mail, including mentioning that the page appears to violate European law on the protection of personal information. A customer service representative replied: "Thousands of orders are placed on francetelecom.com every day, we have not been informed of problems encountered as a result of orders made on our site." [P-K's translation. PGN] I'm not reassured by this glib response, traditional though it may be. The customer rep gave a number to call to order service by telephone, but that number — as she knows, just as she knows I am not in France — is unusable outside France, which places added pressure to use the unsecured website. If France Telecom left the security symbol on the order page, at least people would have the information to make an informed choice of whether to proceed, but it has been deliberately hidden. And the informed choice is irrelevant to the laws protecting personal information; those are an obligation on the business, not a choice by the client. Directing "thousands" of such orders daily, unencrypted, to a well-known Internet destination is a risk for both the customers and France Telecom. Perhaps France Telecom considers identity theft a uniquely American crime, but I wonder if anyone at a responsible level is aware of the legal issues under European law of protecting exactly this kind of information. European courts seem to take these issues seriously, I'm glad to say.
Brian Bergstein, AP Online, 11 Nov 2003 http://finance.lycos.com/home/news/story.asp?story=36422485 Some career Web sites, recruitment services and automated job-application kiosks offer flimsy privacy protections and might even violate employment and credit laws, a report released Tuesday asserts. Many job sites still let too much information from resumes posted online get into the hands of third parties through online "cookies" that monitor Web surfing, according to the report, led by Pam Dixon, formerly of the University of Denver's Privacy Foundation and now head of her own group, the World Privacy Forum. The report also faults self-service job application computers commonly used by chain stores. It says they almost always demand social security numbers and perform background checks on applicants without clearly stating who will see the information. Dixon is urging job seekers to demand more stringent privacy protections. She also wants the Federal Trade Commission and the Equal Employment Opportunity Commission to look more closely at how job sites and recruitment services handle information. ...
I have a Dell Latitude running Windows 2000 with service pack 2 (I believe). It is my back-up laptop. While on a business trip to Denver, my regular laptop suffered a failure due to a poorly-designed and poorly-tested power connector on the motherboard (another story). No problem, thought I, I'll use the Dell laptop. I had about five days between my return from Denver and my departure on my next trip to Tel Aviv. Given all the security nonsense going on, I felt compelled to install the latest security patches from Microsoft's Web site. During the course of the first attempt to do so, my system was infected by the Blaster Worm. Fortunately, I have Symantec's Ghost utility running on the system, and I could revert to the old OS install and start all over. This time, I resolved to install--and update--Norton Internet Security and Norton Antivirus prior to loading the security patches. During the course of updating the security and virus definitions, my system was again infected by the Blaster Worm. However, this time around, with the help of information and a free utility on Symantec's Web site, I was able to remove the worm. I then went to apply the security patches again. This time, one of the patches did something untoward to my system and it started crashing. Since three days had passed at this point and I was due to leave for Tel Aviv soon, I didn't have time to isolate the bug. My guess is that the patch was not compatible with my particular system configuration. So, I reinstalled Windows 2000 from the Ghost image yet again, reloaded all my applications yet again (including Norton Internet Security and Norton Antivirus), updated the security and virus definitions yet again (escaping infection this time), and skipped the security patches. I'm going to trust Norton Internet Security, Norton Antivirus, and daily updates to those programs to protect me, because I can't trust the Microsoft security patches to be adequately tested. Salient points: 1. One major quality risk for patches of any kind is regression (the failure of what heretofore worked). For any emergency patch, there is simply no time to repeat all the tests run against the regular release. Since security patches might well involve code deep within the operating system, it's no surprise to me that this failure to adequately regression test the patches resulted in a major incompatibility bug escaping to the field. 2. Regression bugs, particularly those where new code breaks existing functionality, can easily result in a maintenance release or patch resulting in a lower (rather than higher) level of system quality. Regression bugs might be relatively rare, but, as this case points out, they can be very dangerous. 3. It was already frustrating to have to spend about a day moving all my data and applications from my primary laptop to my backup laptop. Almost all of that time was spent installing applications on the backup system. 4. Add to that frustration the fact that I had to go through the "install OS-reinstall apps-update apps" process three times--twice more than had the problem not occurred in the first place. All told, rack up three lost days of productivity to security bugs and general clunkiness in the Microsoft OS. At my usual consulting rates, that's thousands of dollars of lost time. Will Microsoft reimburse me for that? No way. Does that experience make me receptive to the idea of switching to some other desktop platform (Linux, Mac, whatever)? You bet. Am I more-than-ever convinced of the importance of thorough testing, including regression testing, of any software release? Absolutely. Rex Black Consulting Services, Inc., 31520 Beck Road, Bulverde, TX 78163 USA +1 (830) 438-4830 www.rexblackconsulting.com
We have previously seen examples of scams involving a trick URL, where the part immediately after "http://" is not the real domain name. But here now is a variant that I haven't heard of before — making cleverly deceptive use of spaces. A former co-worker, Donald Teed, reports receiving what at first looked like one more normal message from an Internet-aware company. He describes it as follows: "The e-mail will appear to come from the bank, using the correct domain, and the link in the e-mail will appear to be a link to the bank, using the correct URL." The bank in this case was Capital City Trust <http://www.capcity.ab.ca/>. But the actual URL was like this: <a href="http://www.capcity.ab.ca :UserSession=00000000000000000000000000000 &userrstste=SecurityUpdate&StateLevel=CameFrom@00000000000000.com"> http://www.capcity.ab.ca/</a> Where you see a row of 0's, I have replaced the characters that were originally there, to prevent anyone from following this link by accident. Where you see blank lines, there were originally a large number of spaces. So the link claims to go to www.capcity.ab.ca, and if your browser shows you the URL before you select the link, it'll be truncated to a reasonable length and you'll see the part before the row of spaces and *still* think it's going to www.capcity.ab.ca. And then when you get to the actual site, which is at 10-cheapdesign.com, you'll find, as Donald says, "a complete clone copy of the bank's actual Web site" — only, of course, what it does is capture your account and password information so the bad guys can impersonate you. There are days when I'm really glad I don't read e-mail in a Web browser. Mark Brader, Toronto firstname.lastname@example.org [The site has now been shut down. PGN]
The reporter noted a consumer asking, "Why does it have a computer that reads the problems if they can't fix them?" Although it makes me a bit of an old geezer to admit it, Bill Karcher framed this idea in the early 1970's. One of the systems software heavies from Control Data Corporation (the original 'supercomputer' maker), Karcher's Law was "Don't check for error conditions you are not prepared to handle." This was particularly important when memory and processor cycles were at a premium. The problem described by this reporter is a common one, namely, "punt to the user" style systems. The idea that the user will be able to manage all the fault conditions that the computer can detect leads, inexorably, to unusuable systems. Of course, even if the history of such a system is that it produces lots of false or misleading information or behaves strangely or unintelligibly, whenever an over failure does occur, the user will be blamed for having ignored the warning.
Please report problems with the web pages to the maintainer