The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 07

Thursday 18 December 2003


Remote-controlled trains
Bill Tolle
Over-reliance on PowerPoint leads to simplistic thinking
Japan's Mars probe goes off course
Risk of a test message: Heated Training Session
Patrick Lincoln
Voter information up for grabs
Voting machine maker dinged
Lillie Coney
Convicted felons worked for electronic voting companies
Susan Marie Weber
Re: Diebold ATMs hit by Nachi worm
Drew Dean
Re: Why have electronic voting machines at all?
Russ Cooper
Proper understanding of "The Human Factor"
Don Norman
April Fool's e-mail freed detained kidnapper
Lillie Coney
This number's ready for prime time
Mark Brader
Correction for RISKS-23.06
Trevor Zacks
Free lunch? Or double-or-nothing?
Rob Slade
REVIEW: "Effective Security Management", Charles A. Sennewald
Rob Slade
Info on RISKS (comp.risks)

Remote-controlled trains

<Bill Tolle <>>
Mon, 08 Dec 2003 16:10:19 -0600

A railroad worker was struck and killed by one of the locomotives he was
operating by remote control from the Union Pacific rail yards in San
Antonio, TX.  [Source: AP item, *Houston Chronicle*, 8 Dec 2003]

Over-reliance on PowerPoint leads to simplistic thinking

<"NewsScan" <>>
Mon, 15 Dec 2003 08:42:21 -0700

NASA's Columbia Accident Investigation Board has fingered the agency's
over-reliance on Microsoft PowerPoint presentations as one of the elements
leading to last February's shuttle disaster. The Board's report notes that
NASA engineers tasked with assessing possible wing damage during the mission
presented their findings in a confusing PowerPoint slide so crammed with
bulleted items that it was almost impossible to analyze. "It is easy to
understand how a senior manager might read this PowerPoint slide and not
realize that it addresses a life-threatening situation," says the report.
NASA's findings are echoed in a pamphlet titled "The Cognitive Style of
PowerPoint," authored by information presentation theorist Edward Tufte, who
says the software forces users to contort data beyond reasonable
comprehension. Because only about 40 words fit on each slide, a viewer can
zip through a series of slides quickly, spending barely 8 seconds on each
one. And the format encourages bulleted lists -- a "faux analytical"
technique that sidesteps the presenter's responsibility to link the
information together in a cohesive argument, according to Tufte, who
concludes that ultimately, PowerPoint software oozes "an attitude of
commercialism that turns everything into a sales pitch."  [*The New York
Times*, 14 Dec 2003; NewsScan Daily, 15 December 2003]

Japan's Mars probe goes off course

<"Peter G. Neumann" <>>
Tue, 9 Dec 2003 13:48:28 PST

Nozomi ("hope"), Japan's first interplanetary explorer, went off course in
attempting to orbit Mars, culminating a five-year journey.  Efforts to
salvage the mission have failed and the probe has almost run out of fuel,
although the probability of a collision with Mars has reportedly been
reduced from 1% to 0%.

Risk of a test message: Heated Training Session

<Patrick Lincoln <>>
Thu, 18 Dec 2003 07:34:38 -0800

According to an advisory issued on 17 Dec 2003 by the National Weather
Service, "... the Earth has left its orbit and is hurtling towards the sun."
The post on the National Oceanic & Atmospheric Administration's Web site
continued: "Unusually hot weather will occur for at least the next several
days as the Earth draws ever nearer to the sun.  Therefore, an excessive
heat watch has been posted."  The release was a test message, erroneously
posted by during a training session.  The statement has since been removed.

Voter information up for grabs

<"NewsScan" <>>
Thu, 11 Dec 2003 10:23:45 -0700

Unbeknownst to most citizens, state officials are selling their
voter-registration information to political candidates, nonprofit groups and
data collectors who then combine it with census data, purchasing histories,
credit reports and magazine subscription lists in order to fine-tune their
messages or marketing pitches to specific constituencies, such as pickup
truck drivers who subscribe to "Soldier of Fortune" or SUV drivers who buy
lacy underwear at Victoria's Secret. And while some states limit sales to
political groups, 22 states lack any criteria restricting who may purchase
the information. "Voters fill out these forms in good faith, thinking the
information they're providing is needed for the purpose of administering
elections," says California Voter Foundation founder Kim Alexander. "Then
they get phone calls or a knock on the door from campaign strangers who have
a list of their personal data." Alexander says the information requested by
many states, such as Social Security numbers and mother's maiden names,
could easily be used for identity theft. The situation has become especially
troubling since Congress passed the Help America Vote Act last year, which
required that states develop a centralized, statewide voter-registration
database, making it possible for third parties to collect huge amounts of
data very easily. Alexander says the reason there's been no outcry against
the practice is that "the people who ultimately decide how voter data should
be allowed to be used are the politicians… Politicians need to rein in
the laws, yet they're the biggest consumers of data."  [, 11 Dec
2003; NewsScan Daily, 11 Dec 2003],1367,61507,00.html?tw=wn_tophead_2

Voting machine maker dinged

<Lillie Coney <>>
Thu, 18 Dec 2003 09:53:56 -0500

California Secretary of State Kevin Shelley has said that Diebold Elections
Systems could lose the right to sell electronic voting machines in
California.  State auditors found that Diebold distributed software versions
in 17 counties that had not been certified by the state, and that in 3 of
those counties (including Los Angeles County) the systems had not been
approved by the Federal Election Commission.  [Source: Voting machine maker
dinged, Auditor says software wasn't approved Elise Ackerman, *San Jose
Mercury News*, 17 Dec 2003; PGN-ed]

  [And as noted here on various occasions, the FEC standards are very weak
  to begin with.  Even the California certification process does not require
  any MEANINGFUL assurance that electronic machines record cast votes
  correctly.  PGN]

Convicted felons worked for electronic voting companies

<"SusanMarieWeber" <>>
Tue, 16 Dec 2003 22:30:58 -0800

Voter advocate Bev Harris alleged Tuesday that managers of a voting-machine
subsidiary of Diebold Inc. included at least five convicted felons, among
them a cocaine trafficker, a man who conducted fraudulent stock
transactions, and a programmer jailed for falsifying computer records.  The
programmer, Jeffrey Dean, wrote and maintained a proprietary code used to
count hundreds of thousands of votes as senior vice president of Global
Election Systems Inc.  Ohio-based Diebold purchased GES in January 2002.
According to a court document released before GES hired him, Dean served
time in a Washington correctional facility for stealing money and tampering
with computer files in a scheme that "involved a high degree of
sophistication and planning."

In January, Senator Barbara Boxer, D-Calif., will submit a bill requiring
stringent background checks on all electronic voting company employees who
work with voting software. The bill, which Boxer plans to introduce in
January, would toughen security standards for voting software and hardware,
and require touch-screen terminals to include printers and produce paper
backups of vote counts by the 2004 presidential election.

  [Source: Critics: Convicted felons worked for electronic voting companies
  Rachel Konrad, Associated Press, 16 Dec 2003; PGN-ed]
  Also see,2645,61640,00.html

    [And this story does not even mention Phil Foster, employee of Sequoia
    Pacific, indicted for vote fraud, who was working in the back rooms
    during the elections of Riverside County, November, 2000.  smw]

      [... or a bunch of other felony convictions related to voting.  Of
      course the risks of undetected errors and malicious misdeeds in voting
      machines have been discussed for years in RISKS.  It is encouraging
      that more people are beginning to understand the risks. PGN]

Re: Diebold ATMs hit by Nachi worm (Cooper, RISKS-23.06)

<Drew Dean <>>
Tue, 09 Dec 2003 15:50:42 -0800 (PST)

I find Russ Cooper's contribution to be symptomatic of the security
community's world view: security über alles.  Yes, it may be more secure
if an ATM always initiates contact with the outside world, but it has major
impacts in manageability, and also opens up new threats.

Consider the following scenario: There's an ATM, indirectly connected to the
Internet, sitting in a shopping mall.  It's 3am (local time -- always true
somewhere in the world), the mall is locked up tight, and there's a worm on
the loose.  Said worm is programmed to look for vulnerable ATMs, and cause
them to dispense all the cash they hold.  It would be a Bad Thing(tm) if the
mall opens the next morning with cash scattered all over the floor.  Observe
that sending a service technician out is extremely expensive, and
logistically difficult/impossible.  It's both faster and cheaper for the
bank's data center to remotely patch the ATMs from a central location.

Now, you can argue that the ATM should be polling the data center for
patches, but that opens up an equivalent vulnerability: once the polled
machine is compromised, it sends the patch(es) of the attacker's choice to
the ATM, and we end up in the same situation.  Of course, if the ATM is
compromised, it might stop listening for updates.  Partial failure of
systems is always difficult to design for, and this example is no different.

I think a fair summary is that the real world is a messy place, with many
different threats, and while sound bites may be satisfying to pronounce,
they rarely solve the problem.

Drew Dean, Computer Science Laboratory, SRI International
  [Similar comment from Ray Blaak.  PGN]

Re: Why have electronic voting machines at all? (RISKS-23.06)

<"Russ" <>>
Wed, 10 Dec 2003 05:09:05 -0500

Maybe I missed the comment, but it seems to me that one of the most
compelling reasons for e-voting, getting more people out to vote, is being
missed in these threads. Maybe voter turnout in the States is always >50%,
it isn't here (Canada).

If an eligible voter can sit at home, take a couple of minutes, and register
their preference in an election, there's a belief that a lot more people
will vote. I fail to see how anything else could be as likely to increase
voter participation.

I'm not minimizing the risks or cost involved in making such a scheme work
securely, but in a country such as ours where people are broadly
distributed, reducing the need for people to go to a polling station is
highly desired.

Russ - NTBugtraq Editor

Proper understanding of "The Human Factor"

<"Don Norman" <>>
Thu, 11 Dec 2003 12:15:00 -0600

  [Warning: This is not a posting of some news item. It is an essay -- well,
  a lecture -- triggered by two recent RISKS postings, particularly because
  the second posting completely misunderstood the purpose of the first and
  didn't bother to read the book which was being recommended. And exhibited
  an attitude on the part of designers that is the biggest risk of all risks
  -- because it is the kind of attitude that causes the very problems the
  RISKS group is designed to eliminate.  DN]

If we assume that the people who use technology are stupid ("Bubbas") then
we will continue to design poorly conceived equipment, procedures, and
software, thus leading to more and more accidents, all of which can be
blamed upon the hapless users rather than the root cause -- ill-conceived
software, ill-conceived procedural requirements, ill-conceived business
practices, and ill-conceived design in general. This appears to be a lesson
that must be repeated frequently, even to the supposedly sophisticated
reader/contributor to RISKS.

It is far too easy to blame people when systems fail. The result is that
over 75% of all accidents are blamed on human error.  Wake up people! When
the percentage is that high, it is a signal that something else is at fault
-- namely, the systems are poorly designed from a human point of view. As I
have said many times before (even within these RISKS mailings), if a valve
failed 75% of the time, would you get angry with the valve and simply
continual to replace it? No, you might reconsider the design specs. You would
try to figure out why the valve failed and solve the root cause of the
problem. Maybe it is underspecified, maybe there shouldn't be a valve there,
maybe some change needs to be made in the systems that feed into the valve.
Whatever the cause, you would find it and fix it. The same philosophy must
apply to people.

Item. I predict that the municipal water and wastewater treatment industry
is in for a series of serious accidents. Why? Because of postings like that
of Dave Brunberg (RISKS-23.06). He was triggered by Mike Smith's
recommendation for the book "The Human Factor" (RISKS-23.04), but without
bothering to read the book. So he tells us of the "Bubba factor" in his
industry, namely, the belief that operators (named "Bubba") are
characterized by stupidity, laziness, and general ineptness. Brunberg
complains that he must make his software work despite the incompetence of
his operators: "you walk a very fine line between making the plant so
inflexible that operators cannot respond to unforeseen problems and giving
Bubba a little too much latitude."

No wonder we continue to have problems. It is this attitude of developers
that cause the very problems they complain about. The book, the Human
Factor, is in fact an excellent argument against Brunberg's point of view.
In it, the author (Kim Vicente) points out that procedural demands, business
practices that reward productivity and punish safety, and the inability of
system designers to understand the real requirements on the plant operators
are what leads to failure. Poor Bubba is yelled at by his bosses for slowing
up production, penalized if he raises questions about safety. If he follows
procedures, he can't meet production requirements. If he violates them --
which is what everyone is forced to do -- he is punished if an accident
occurs. No matter that lots of other Bubbas have warned about that

Let me also recommend the excellent "Field Guide to Human Error
Investigations." Here, the author (Sidney Dekker) points out that the old
view of human error is that it is the cause of accidents whereas the new
view is that it is a symptom of trouble deeper inside a system. Alas, the
"old" view is in actuality the current view, whereas the "new" view is still
seldom understood. (The "new" view has only been around for 50 years, so I
suppose we need to give it more time.). The Field Guide is about aviation,
but it is very applicable to the waste industry as well -- and to hospitals,
and emergency crews, and manufacturing plants, and any situation where
accidents are being blamed on people.

The most serious RISK in all this is that people take the easy way out,
blame the operator for incompetence, and then smile smugly from their
air-conditioned office, far away from the plant. As long as this attitude
persists, we will have bigger and bigger accidents.

DISCLAIMER (MILD). My strong recommendation for "The Human Factor" appears
on the back jacket of that book and on my website.  My equally strong
recommendation for the "Field Guide" will appear on my website Real Soon

Dekker, S. (2002). The field guide to human error investigations. Burlington
VT: Ashgate.

Vicente, K. J. (2003). The human factor: revolutionizing the way people live
with technology. Toronto: A. A. Knopf Canada.

Don Norman, Nielsen Norman Group and Northwestern University

  [Two typos fixed in archive.  PGN]

April Fool's e-mail freed detained kidnapper

<Lillie Coney <>>
Thu, 04 Dec 2003 12:42:14 -0500

A Homeland department employee's prank e-mail prompted the release of an
immigration agency detainee who had been convicted of kidnapping, according
to the department's Inspector General.  The unidentified detainee turned
himself in to Immigration and Customs Enforcement deportation officers two
days after his improper release.  The employee sent an April Fool's e-mail
to 16 ICE detention officers and supervisors advising them that the
detainee's citizenship had been established with a Puerto Rican birth
certificate, which authorized his release.  At the end of the e-mail, the
employee wrote, "Now about that bridge I'm selling. April Fools!"  Nine
minutes later, the employee sent a second e-mail that began by saying, "In
case you didn't get to the end of my previous message, here's what really
happened today."  The second message said that the detainee had been ordered
deported to the Dominican Republic.  A homeland officer who read the first
prank e-mail but did not note the April Fools reference, and did not read
the second e-mail, processed paperwork that authorized the detainee's
release from a county jail on 2 Apr.  [Source: Wilson P. Dizard III,
Government Computer News (, 28 Nov 2003; PGN-ed]

This number's ready for prime time (RISKS-23.06)

< (Mark Brader)>
Tue, 9 Dec 2003 20:14:06 -0500 (EST)

Primes of the form 2-to-the-power-of-P would be *exceedingly* rare.
[Yes, ONLY ONE for P>0.  PGN]
Fortunately, that's not what the New Scientist article actually says.
  [MINUS ONE was inadvertently omitted from the parenthetical, and
  has been added to the archive copy.  Noted by many of you.  TNX.  PGN]
     [ANOTHER TYPO CORRECTED IN archive copy of THIS one.  P>0.  Sorry. PGN]

Correction for RISKS-23.06 (via Lindsay Marshall)

<Trevor Zacks>
15 Dec 2003

New official self-service litigation system available in England/Wales
link is (now) not
corrected in the on-line version of the Telegraph at the specified link.

  [Also corrected in RISKS archives.  PGN]

Free lunch? Or double-or-nothing?

<Rob Slade <>>
Mon, 15 Dec 2003 13:11:27 -0800

Leave your cards in the car when you walk into McQuickFood, lest you end up
paying for your neighbour's lunch.  (We've already seen this with SpeedPass,
have we not?)


MasterCard and American Express have been testing "contactless" versions of
their credit cards that use an embedded RFID chip rather than a magnetic
strip to store financial data. The cards can simply be waved in front of a
reader to complete the purchase. "In some instances it's faster than cash.
You're eliminating the fumble factor," says a MasterCard VP. The company
plans to roll out its PayPass system next year, beginning in fast food
joints and other venues where customers tend to be in a hurry. Forrester
Research predicts it will take several years for the contactless cards to
go mainstream, citing consumers' security concerns and unfamiliarity with
the technology as impediments to change. (AP/ 14 Dec 2003),1282,61603,00.html?tw=wn_tophead_7    or

REVIEW: "Effective Security Management", Charles A. Sennewald

<Rob Slade <>>
Tue, 16 Dec 2003 08:28:19 -0800

BKEFSCMN.RVW   20031006

"Effective Security Management", Charles A. Sennewald, 2003,
0-7506-7454-7, U$49.95/C$72.50
%A   Charles A. Sennewald
%C   225 Wildwood Street, Woburn, MA  01801
%D   2003
%G   0-7506-7454-7
%I   Butterworth-Heinemann/CRC Press/Digital Press
%O   U$49.95/C$72.50 800-366-BOOK fax 800-446-6520
%P   395 p.
%T   "Effective Security Management"

The preface makes clear that the author's major background is in the field
of physical security.  This is evident in places throughout the rest of the
book, but much of the material is more broadly applicable.

The introduction presents a wonderful statement about management, that it is
"the ability to create an environment in which other individuals willingly
participate to achieve objectives."

Part one deals with general security management.  Chapter one outlines some
principles of organization, and provides an excellent overview of the basics
of management.  The physical security background shows in, for example, the
assumption that demonstrating a "contribution to profits" is relatively
straightforward and easy to quantify.  The review questions at the end of
the chapter are an adequate summary of the material, but provide no more
than a simple reading check.  Organizational structure, in chapter two, is
based on the real world rather than theory.  Sennewald notes the difference
between formal and informal arrangements, as well as both the good and bad
reasons that the two exist.  Security's role in the organization emphasizes
physical security, but chapter three also addresses non-traditional
functions such as training, internal consulting, and executive protection.
Chapters four, five, and six deal with the roles of, respectively, the
security director, supervisor (emphasizing the chain of command), and
employee (mostly stressing personal character and integrity).

Part two addresses security personnel management.  Chapter seven, on hiring,
is reasonable, but fails to provide useful guidance on avoiding common
pitfalls in reviewing resumes and interviewing candidates.  There is, for
example, a heavy reliance on open-ended questions, which often backfire on
interviewers since the responses tend to be so different that it makes the
difficult task of judging between people even harder.  The creation of a job
description, in chapter eight, provides good pointers and a helpful outline.
There are more complaints about how training is done poorly than suggestions
about how to fix the problem in chapter nine.  The material on discipline,
in chapter ten, is good but not great.  In regard to the motivation of
employees, Sennewald presents the classic "Theory X and Theory Y" model, but
chapter eleven is more concerned with pointing out the disadvantages of
punishment and control (X) than with suggesting how to support employees
(Y).  Chapter twelve, on promotions, repeats many of the points of chapter
seven.  The vague look at communications, in chapter thirteen, is not
necessarily helpful.  The classic debate between employment of, or
contracting out, security personnel is presented in chapter fourteen.

Part three considers operational management.  Budgeting, in chapter fifteen,
is a good start for those without a financial background, but gets bogged
down in specific forms.  The basics of risk management (albeit limited to
physical security situations) is introduced in chapter sixteen.  Some
expansion is given in chapter seventeen, but the content is generally
duplicated, and I wonder why the chapters were split.  Review and audit,
renamed the security survey, is important, but chapter eighteen seems to be
a not-completely-recycled magazine article.  It seems odd to cover office
administration, in chapter nineteen, but many physical security officers may
have limited office background, so this might be quite useful.  The
discussion of policy and procedures, in chapter twenty, primarily deals with
procedures.  Chapter twenty one, on computers and security management, is
the longest in the book, but is only a computer literacy article and
addresses no specific security applications.  Sennewald argues that
statistics can be useful, but chapter twenty two does not provide much
direction in their manipulation.

Part four deals with public relations.  A pedestrian selling job for
security is in chapter twenty three.  The relationship with law enforcement,
in chapter twenty four, emphasizes what the police can provide.  Chapter
twenty five promotes cooperation with those in the same industry and the
importance of trade groups, as well as community service.  This latter topic
is expanded in twenty six.  Chapter twenty seven is a very recognizable list
of thirty two "jackass traits" for managers, pointing out all kinds of
mistakes people can make.  How to improve your performance gets less space,
and it is hard to know where to draw the line between opposing problems,
such as "the Despot" and "The Popularity Kid."

Despite specific problems, this book provides some extremely valuable advice
for security managers of all kinds, not just the physical security officers
at whom it is aimed.

copyright Robert M. Slade, 2003   BKEFSCMN.RVW   20031006    or

Please report problems with the web pages to the maintainer