The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 10

Tuesday 30 December 2003


Cybercrime more than doubled in 2003
Reliability of network vulnerability testing is decreasing
Charles Preston
Biometrics: 'Not your father's fingerprints' win out
Pointless "security"
To Err is Human: Building a Safer Health System
Marc Auslander
VoteHere reports computer break-in
Fredric L. Rice
Re: Voter information up for grabs
Kelly Bert Manning
Re: Why have electronic voting machines at all?
Peter Williams
Electronic voting: social aspects
Andrew o' Baoill
Re: Over-reliance on PowerPoint
Ron Bean
Re: Poor writing is the problem, not PowerPoint
Julian Thomas
An economic argument against PowerPoint
Carson Harding
Re: Railroad accident
John Hines
John A. Stewart
Ed Ravin
Chris Smith
Matthew Delaney
David Cantrell
Re: Loss of bus braking due to nearby illegally modified transceivers
Info on RISKS (comp.risks)

Cybercrime more than doubled in 2003

<"NewsScan" <>>
Mon, 29 Dec 2003 10:23:57 -0700

This past year the Internet proved a lucrative haven for phishers, online
auction scammers and Nigerians proffering cash-sharing partnerships,
according to statistics from the Internet Fraud Complaint Center, which
reports it received more than 120,000 online fraud complaints in 2003. That
translates to an increase of 60% since 2002, when 75,000 complaints were
processed. The Center provides cybercrime victims with a convenient process
for filing complaints, which it then analyzes and routes to the appropriate
FBI field office or local law enforcement agency for further action.  [*The
Register*, 29 Dec 2003; NewsScan Daily, 29 Dec 2003]

Reliability of network vulnerability testing is decreasing

<Charles Preston <>>
Tue, 23 Dec 2003 09:53:50 -0900

Both home computer users and corporations use outside testing services to do
port scans and vulnerability scans.  This testing is performed to verify
that expected safeguards are in place, and that configuration changes
haven't left the network more open than anticipated.  Some are free port
scans, like the service ShieldsUp, and some
port/vulnerability scans cost tens to hundreds of dollars per IP address.

The testing is based on the assumptions that, subject to network congestion,
packets sent to any port on a network perimeter device will arrive, and that
open ports are equally visible from the Internet and from a computer in the
building next door.

Both of these assumptions are incorrect for some ISPs.

What is increasingly occurring is that some ISPs are blocking certain ports
from the Internet.  Worse, when you inquire, they are incorrectly stating
that they are not blocking any ports, and they are making changes without
any notification to customers.

The same ports are not always blocked between two addresses on the same ISP
network.  This raises the possibility that a vulnerability test from the
Internet will fail to disclose an actual vulnerability, which can be
exploited from any address inside the ISP network.  I had exactly this
situation occur when testing a vulnerability scanning service.

Some ISPs have been blocking NetBIOS ports for home networks, such as on
cable modems, but could quit blocking ports if asked, on an individual
connection basis.  This was to assist home users with Microsoft operating
systems who had no other security.

I have been told by two ISPs that blocking is implemented in their routers
or "core router" and cannot be changed for business connections.

A search on Google indicates that some ISPs are blocking a number of ports,
not just NetBIOS, primarily in response to recent network worms.

In order to use a vulnerability scanning service, companies will be forced
to check for ISP port blocking just at the outside of their firewalls, with
the further problem that the results are subject to unannounced change at
any time.  This will lower the benefit of frequent periodic testing.

Charles Preston, Information Integrity

Biometrics: 'Not your father's fingerprints' win out

<"NewsScan" <>>
Mon, 29 Dec 2003 10:23:57 -0700

The biometrics industry — spurred on by heightened terrorist concerns --
has rolled out a variety of new ways to identify people, ranging from retina
and iris scans to mapping voice patterns or walking styles, but there's a
clear winner among the competing technologies — the old-fashioned
fingerprint. "They are looking for proven technology that's stable and
familiar," says Joseph J. Atick, CEO of biometric firm Identix.  "It's not
about technology. It's about lowering your deployment risk." But these
aren't your father's fingerprints — today's equipment does away with messy
ink in favor of digital records, created by software when fingers are
pressed against an electronic pad or sensitive photoplate. And often as not,
the fingerprints are then combined with some other form of biometric ID,
such as facial recognition. Meanwhile, growing use of passports, drivers'
licenses and employment ID cards embedded with ID-data microchips is
spawning a new business for data processing giants such as IBM, Unisys and
Siemens. "The technology (to integrate ID data with public records) is
advancing rapidly. The big growth will be in 2005 and 2006," says a Unisys
official.   [*The New York Times*, 29 Dec 2003; NewsScan Daily, 29 Dec 2003]

Pointless "security"

Wed, 24 Dec 2003 12:40:55 +0000 (GMT)

I live in the UK and my parents live in the USA. Every year, at Christmas, I
send them a parcel containing food items that are hard or impossible to get
in the USA, or are prohibitively expensive there.  (Apologies if any of this
takes on the attributes of a rant. I find it difficult to talk about this

I find that as of 12th Dec 2004, any food items mailed to the US have to be
pre-registered with the FDA.  From the Web site

  "Nearly 20% of all imports into the U.S. are food and food products. In
  2002 Congress passed the Bioterrorism Act as a part of its ongoing effort
  to combat terrorism - in this instance, by reducing the ability for
  international terrorists to carry out terrorist attacks in the U.S.  by
  contaminating imported foods."

Now for the rant bit. I can appreciate that the US Government wants to
protect the food supply against bio-terrorism, but what in the name of Ghod
do they think this is going to achieve? Were I a bio-terrorist, about to
ship a boxful of Ebola contaminated sausage to the USA, would I register it
on the FDA site? Or would I write "Books" on the Customs form and send it

And that brings me to the registration process itself, in order that I might
legally send Christmas Cake, Christmas Pudding and Marmite (*) to my poor
deprived parents. At least I can do it online (see But do I have to register at
all? "Private residences of individuals" are excluded. Why? My box of Ebola
could just as easily come from my kitchen as from the local sausage
plant. And if I'm a terrorist (which I'm not), again I ask, why would I
register at all? And if I do register (which I haven't), why threaten me
with US law (which the site repeatedly does.) I know the US Government
struggles with the concept of extra-terratoriality

In short, what is the point of this? Other than make-work for Government
employees. Still, at least the website works with Mozilla. I guess I should
be thankful for small mercies.

"Something must be done. This is something. Therefore we will do it."

(* Yes, I know Americans regard Marmite as a bioweapon, but it isn't.

To Err is Human: Building a Safer Health System

<Marc Auslander <>>
Tue, 23 Dec 2003 20:36:31 -0500

In support of Don Norman's posting
  Proper understanding of "The Human Factor",
I would recommend a 1999 Institute of Medicine report which makes pretty
much the same argument about medical errors.  It points out that one
consequence of taking an approach which blames the person, rather than the
system, is that the information needed to fix the system is suppressed!  To
quote from the report:

"One of the report's main conclusions is that the majority of medical errors
do not result from individual recklessness or the actions of a particular
group--this is not a "bad apple" problem. More commonly, errors are caused
by faulty systems, processes, and conditions that lead people to make
mistakes or fail to prevent them. For example, stocking patient-care units
in hospitals with certain full-strength drugs, even though they are toxic
unless diluted, has resulted in deadly mistakes."

The report is at:

VoteHere reports computer break-in

<"Fredric L. Rice" <>>
Tue, 30 Dec 2003 10:21:33 -0800

E-voting firm reports computer break-in
Federal authorities investigating VoteHere intrusion
By Alan Boyle, Science editor

A company developing encryption-based software for secure electronic voting
has itself become the victim of a computer break-in, the company's top
executive told Federal authorities have confirmed that the
incident is under investigation.  The intrusion into Bellevue-based
VoteHere's corporate network occurred in October, said Jim Adler, VoteHere's
founder, president and chief executive officer.  No suspects have yet been
named, but Adler said his company, in cooperation with investigators, had
developed substantial information about the source of the intrusion over the
past two months.  "We feel that it may have been politically motivated,"
Adler said.

Adler's revelation came amid a deepening debate over e-voting and its
vulnerability to election fraud — and a controversy over surreptitious
methods to get information about how e-voting software works.

  [Another report indicates they know who the culprit is.  PGN]

Re: Voter information up for grabs (Ross, RISKS-23.09)

< (Kelly Bert Manning)>
Tue, 23 Dec 2003 22:56:28 -0500 (EST)

> .. I feel that privacy concerns should not eliminate the public
> availability of what have traditionally been public records.

Sounds very similar to the "shut up and get used to it" response I got from
a Provincial Legislative Committee (chaired by Barry Jones) in my province.

Rather than giving it up as hopeless, I continued to lobby and to make
various interest groups (such as Doctor's professional associations,
battered women's shelters, rape relief centers, police associations, etc.)
aware of the issues and the evidence of voter list abuse.

During the election which got Mr. Jones into office, one campaign office
reported that the only thing stolen during a break-in was the CD copy of the
voter list. The computers and all the office equipment were left.

I also provided them with copies of documents I obtained after suing "Datex
Services", a Vancouver-based junk-mailing-for hire outfit. Those invoices
showed Datex purchasing a copy of the "geographic alpha sort" fiche copy of
the voter list, 2 days before provincial legislation declaring such uses
illegal was proclaimed.

While I had him in front of a Judge, Mr. Vandersteldt of Datex stated that
if he was denied access to voter lists for junk mailing purposes, he would
simply create a fringe party to obtain a "free" copy.

That seemed to get some attention. Next thing I knew, both the provincial
election act and the municipal act had been amended to allow voters to have
their addresses suppresed, even from routine access by elections branch
staff. The amended legislation authorizes seeding voter lists with fake
names to allow abuse of the personal information to be detected.

My wife and I chose to opt out of the "motor voter" program which uses
driver licence and vehicle registration changes of address to update the
voter list. I got a bit of a hassle from a young poll clerk the last time I
showed up to vote, but an older clerk she consulted informed her that it is
now quite common to be on a voter list without an address.

Election staff have wide discretion to suppress addresses. Shortly after the
legislative change the Municipal Clerk for Squamish suppressed the address
of every voter when a man with a history of violence ran, apparently seeking
non-published addresses of people he was stalking.  The severance was upheld
by the Office of the Information and Privacy Commissioner.

Re: Why have electronic voting machines at all? (Cooper, RISKS-23.06)

<Peter Williams <>>
Fri, 26 Dec 2003 22:55:25 +1100

I always find these discussions about voting systems fascinating, mainly
because my experience is so utterly different to what gets discussed.

Here in Australia, elections are managed by the AEC, an independent federal
statutory body with no links to any political party. (Their website at covers the whole process in great detail).

We don't use mechanical or electronic voting machines.  The same standard
applies in all electorates across the country.  We vote by ranking
candidates in order of preference, by writing numbers in pencil in boxes on
paper ballots, which are later counted by hand.

Voting in elections at all levels of government (local, state, federal) is
mandatory for every citizen over the age of 18.  If you don't vote, you get
fined about $20, unless you have a very good reason.

We have almost 13 million voters who vote in over 8000 polling places spread
across a country roughly the size of the continental United States, and we
still usually get most results reported within a few hours of the polls
closing at 6pm on election Saturday.

As a computer engineer, I'm astounded at the idea that relying on a private
company using proprietary software running on consumer-grade operating
systems without a paper trail could even be considered as a reasonable way
to run an election.

To my mind, if you're going to have a computerised voting system, it

1) must have specifications, source code, test procedures & results publicly
   available & open to rigourous scrutiny,

2) must use secured, tamper-resistant machines with stable operating systems
   in known & authorised configurations (I'm thinking some minimalist
   variety of BSD or Linux so that the underlying operating system source
   code can also be publicly available for inspection),

3) must give voters tangible evidence that their vote has been cast as they
   intended (a printed human & machine readable "vote card" which gets
   checked by the voter then placed in a ballot box),

4) must link these "vote cards" back to the electronic vote (via an
   anonymous ID such as a serial number) so that they can be routinely
   cross-checked during counting to confirm that the electronic votes match
   the printed votes exactly, and

5) must provide extensive audit trails & logging to ensure that any
   necessary post-vote inspections & verifications can be confidently
   carried out.

Without at least that (and probably a whole lot more I haven't thought
through yet), there's no way you can honestly be comfortable that your votes
are reasonably safe from fraud, election rigging, or simply incompetence in

Electronic voting: social aspects

<=?ISO-8859-1?Q?Andrew_=D3_Baoill?= <>>
Sun, 28 Dec 2003 12:09:47 +0000

I've recently posted an essay on electronic voting online, looking at some
of the social and cultural aspects of the issue, and examining the
implementation in Ireland. In short, the rush to prove how 'cutting edge'
the Irish economy is has led to the unnecessary adoption of a system that
has serious flaws (no independent audit trail) and that may be of more harm
than benefit to Irish democracy. It may be of interest to some readers.

Andrew o' Baoill

PhD student, Institute of Communications Research, University of Illinois / +1-217-332-3263 /

Re: Over-reliance on PowerPoint (NewsScan, RISKS-23.08)

<Ron Bean <>>
Fri, 26 Dec 2003 11:58:54 -0600

Ironically, the best antidote to PowerPoint may be a guide to technical
writing that was published by NASA many years ago, and can still be
downloaded from NASA's own servers:

That page is a link to this file:

"Clarity in Technical Reporting" by S. Katzoff was written in 1955 and
circulated informally at NASA's Langley Research Center.  Popular demand led
NASA to publish it officially in 1964. The PDF file on the web is a scan of
a copy that was printed in 1973.

The first 16 pages are about written reports, the last 9 pages are about
verbal presentations. The author assumes that the slides will be charts and
graphs, not bullet points.

Of course this doesn't solve the real problem at NASA, which is that people
didn't want to talk about the bad news. Tufte's anti-PowerPoint document
calls the NASA presentation "an exercise in misdirection", which implies
that it was done that way on purpose.

  [A response by Lauren Weinstein to this subject on Dave Farber's IP had
  this message, added here by PGN:

    An interesting point is that the 1-inch recorder and the related sensor
    array was installed ONLY on Columbia.  As the first operational shuttle,
    it had been outfitted with masses of sensors (and the tape system) that
    later shuttles didn't have.  Luckily, they kept running the system
    instead of pulling it out or shutting it down, even 20+ years later...
    otherwise much of that data would have been unavailable.

    It staggers the mind to think that that data tape (and the camcorder
    tape that apparently was loose from its case) survived at all.]

Re: Poor writing is the problem, not PowerPoint (Garfinkel, R-23.09)

<Julian Thomas <>>
Sun, 28 Dec 2003 21:22:11 -0500

>...  Specifically, WYSIWYG systems lead to a focus by the user on
>appearance, not on structure or content.

To say nothing of management who emphasize appearance, not content.

An economic argument against PowerPoint

<Carson Harding <harding at>>
Mon, 29 Dec 2003 10:24:23 -0700

I worked for a time in an engineering department of a power company.  The
vice president in charge of engineering forbade the use of any PowerPoint
presentation in any meeting he headed. His argument was economic: he didn't
want his engineers wasting time and the company's money making pretty
presentations when they should be engineering.

Re: Railroad accident (Kuenning, RISKS-23.09)

<John Hines <>>
Tue, 23 Dec 2003 21:51:09 -0600

> all railroad cars should be required to have reflectors (or reflective
> paint) on the sides.

They already do here in the US.  All freight cars have reporting marks,
which are read via optical readers. These are painted in highly visible
reflective white on black for machine reading.

Taggers in the 'hood have figured out that if you don't paint over those
marks, the RR doesn't have to repaint the car, and the artwork lasts till
the next scheduled paint job.

Selling ad space on the sides of cars is of limited use, none to the rail
car leasing companies, or the rail road, and you sure wouldn't want a
railcar advertising your competition sitting on your rail spur.

  [A sampling of other responses follows.  PGN]

Re: Railroad accident (Kuenning, RISKS-23.09)

<"John A. Stewart" <>>
Wed, 24 Dec 2003 10:11:24 -0500

"A friend once told me that in the Great Plains there are many accidents of
this sort each year. Most crossings are completely unguarded, and at night
a train on an unlit level crossing is almost completely invisible."

Ah, statistics and word of mouth.

I work on a couple of preserved steam locomotives, so maybe I can give a
slightly different perspective.  I'll call this "John's Ten Steps to
Enlightenment", and will let the reader determine whether the reasoning is
sound or not.

1) In Canada, and I presume in the USA, it is my understanding that at a
crossing without gates, a car driver must stop, look, listen, then proceed.

2) Which, if my understanding is correct, leads me to wonder about the
type of people who do not follow these rules; so:

3) A quick web search brings to light this *very* interesting web page:

4) and looking at the "By Gender" column shows that, in this survey, by far,
males are the ones that are getting killed driving through crossings.  Which
brings up:

5) a recent unprotected crossing accident in Southern Ontario where the
police have indicated that impact was at 180km/h, and brakes were applied by
the car driver when the car was doing 240 km/h. (references can be found
again, I have not bothered, because this is an example reference, not a
specific one)

6) maximum speed on roads in North America is, what, 65mph in some states?
100km/h in Canada?

7) young male drivers have very, very high insurance premiums,
as inferred from talking to colleagues with male teens in their house.

8) all recent automobiles have computer controlled engines,

9) leading me to wonder if it is not the lack of paint on trains that is
killing males at grade crossings, but the speed that cars travel at;

10) bringing me to the conclusions that: 1) paint is not going to make much
difference, at all; and 2) cars have the technology to restrict speed, it
should be mandated so.

Re: Railroad accident (Kuenning, RISKS-23.09)

<Ed Ravin <>>
Wed, 24 Dec 2003 11:21:18 -0500

Don't they have signs that say "RR Crossing"?  [...]

Railroad crossings are a good example of the "adverse operator" environment
discussed earlier in RISKS postings.  Even crossings with full gates have
collisions from time to time, because of motorists deliberately "sneaking
around" the gate when it is down.

Every intercity bus I've ever been on always stops before going through a
grade-level railroad crossing.  This is because the bus drivers have been
properly trained and understand the consequences of making even the
slightest mistake when crossing railroad tracks (especially if they're
caught, they could lose both their bus driver's license and therefore their
livelihood).  I don't know how often buses collide with railroad trains,
but I suspect it is very, very, infrequently.

Re: Railroad accident (Kuenning, RISKS-23.09)

<Chris Smith <>>
Sun, 28 Dec 2003 01:18:51 -0500 (Eastern Standard Time)

Then simply place the reflective markers on the far side of the crossing,
facing across the tracks and *through* the train.  Or place them at track
level, beside or between the rails.  In either case, the view of the
reflectors will be regularly interrupted either by the body of the rail car
or by the wheels.  The overall effect will be that of a flashing light in
the driver's view; this should be more likely to attract attention than the
dark train.

This has a couple of other advantages. The solution is easily scalable, in
that it can be deployed almost instantly at the most problematic crossovers.
Furthermore, the rail owner of a crossing is not on the move across the
country, and may be more amenable to local pressure to take action to make
their crossings safer when presented with an easy and low-cst solution.

Re: Railroad accident (Kuenning, RISKS-23.09)

<David Cantrell <>>
Mon, 29 Dec 2003 19:34:44 +0000

I would have thought that a better solution would be for drivers to look
where they are going.  Certainly when I am driving, I can see walls and
hedges and trees when they leap out in front of me.  I am quite sure
that I would be able to see large moving metal objects in front of me.

Lord Protector David Cantrell  |

Re: Railroad accident (Kuenning, RISKS-23.09)

<"Matthew Delaney" <>>
Thu, 25 Dec 2003 12:58:57 -0500

Regarding Geoff Kuenning's suggestion of attaching reflective markings to
the sides of trains to prevent collisions... I wonder if the railroads who
are against any such regulation have ever considered the cost of the damage
from the vehicles that hit the trains.

Perhaps they did make sure that regulation was in place that completely
absolved them of all liability in those types of accidents, so their cost is

Re: Loss of bus braking due to nearby illegally modified transceivers

Wed, 24 Dec 2003 12:13:57 +0000 (GMT)

This is an old issue, and does not apply just to "illegally modified
transceivers". I used to own a car whose engine management crashed when an
entirely legal amateur radio 70cms handheld was operated inside the vehicle.

And with the pressure from governments to exploit bandwidth, the continuing
rush to 'wireless everything' and the lack of analogue skills among todays
electronic engineers, I can only see the problem getting worse.

Please report problems with the web pages to the maintainer