[via Rebecca Mercuri <firstname.lastname@example.org> PGN] So the election machine companies say no one has every proved vote fraud on the voting machines. However, the same cannot be said of massive machine error. Here's a real clincher to the line about voting machines being the safest, most secure form of voting ever devised. Mississippi Senate Declares Last November's Election Invalid In the November 2003 election, Hinds County, Mississippi used the WINnVote touchscreen machine (the same as the one used in Fairfax County, Virginia disastrous election). Poll workers had trouble starting the machines, some of the machines overheated and had to be taken out of service, poll workers were scrambling to find enough paper ballots, and many voters left with polls without voting because of the long delays. <http://www.clarionledger.com/news/0311/04/mvproblems.html> The problems were investigated by a Mississippi Senate committee, and on January 19, it recommended invalidating the outcome of the race for the District 91 Senate seat and holding the election over. Two days later, the Senate approved the recommendation. The new election is set for February 10. The last we heard the Democratic candidate, Dewayne Thomas, was considering pulling out of the race and conceding to his opponent, Richard White. We hope Thomas doesn't allow faulty machines to determine an outcome that should be decided by the voters. <http://www.clarionledger.com/news/0401/21/ma04.html> Oh, and just for good measure... Venezuela had to cancel its 2000 national election because of voting machine problems http://news.bbc.co.uk/1/low/world/americas/764372.stm Let all our votes be counted, Steve Corrick <OperationEnduringVote.org>
[Apologies to Danny for this item taking so long to surface. PGN] About 3,000 people got opposite results when they were tested for gonorrhea and chlamydia over an 18-month period. Because of a faulty diagnostic machine in Cranbrook (southeastern British Columbia), positive and negative test results for the two sexually transmitted diseases were reversed. About 3,000 people were tested. The 83 that were positive were incorrectly told they were clean. The 2,900 or so that were negative were told they were positive and were given the standard treatments. From a health standpoint the 83 sick folks come out the worst, because their treatment was delayed for months or years. But even the folk who were well went through the drug protocols and other exams and treatments — which have their own secondary effects, plus, of course, the social/inter-personal problems which being (mis)diagnosed with an STD will cause, especially with regard to patient partner tracking. One Would Have Thought that someone in the medical office or the lab or the insurance or the pharmacy or somewhere..., looking at 3,000 test results, would have quickly noticed that instead of finding a positive rate of 3% these tests were coming back at 97%. One would Also Have Thought that enough of these people would have gotten a second set of tests so as to raise eyebrows a lot earlier. [Thousands Given Wrong STD Results (Associated Press, 30 Oct 2003; PGN-ed from Danny's initial abstracting] http://www.newsday.com/news/health/wire/ sns-ap-std-tests-reversed,0,3203781,print.story?coll=sns-ap-health-headlines Also, see US Gov't FDA recall notice (which suggests there were similar incidents in other places) : http://www.fda.gov/cdrh/recalls/recall-072103.html Canadian local coverage: http://cnews.canoe.ca/CNEWS/Canada/2003/10/29/240955-cp.html
Rescue personnel from the Neenah-Menasha Fire Rescue service responded to a 911 emergency call for a possible heart attack victim within two minutes. However, it was the right address in the wrong town. (Both towns had the identical address.) [Source: An AP article (from the *Star Tribune*, datelined Neenah, Wisconsin) PGN-ed.] Whereas there are procedures and database checks to prevent incorrect locations in the 911 databases, it is still possible for neighboring cities to have identical addresses. The risks here are that the data may look correct and even validate, but still be wrong. [We have reported at least one similar case previously. PGN]
Bank ATMs Converted to Steal Bank Customer IDs http://www.utexas.edu/admin/utpd/atm.html A team of organized criminals is installing equipment on legitimate bank ATMs in at least 2 regions to steal both the ATM card number and the PIN. The team sits nearby in a car receiving the information transmitted wirelessly over weekends and evenings from equipment they install on the front of the ATM (see photos). If you see an attachment like this, do not use the ATM and report it immediately to the bank using the 800 number or phone on the front of the ATM. The equipment used to capture your ATM card number and PIN is cleverly disguised to look like normal ATM equipment. A "skimmer" is mounted to the front of the normal ATM card slot that reads the ATM card number and transmits it to the criminals sitting in a nearby car. At the same time, a wireless camera is disguised to look like a leaflet holder and is mounted in a position to view ATM PIN entries. The thieves copy the cards and use the PIN numbers to withdraw thousands from many accounts in a very short time directly from the bank ATM.
New York organized crime figures reportedly bilked millions of unsuspecting consumers out of more than $200 million over five years by piggybacking bogus charges on their telephone bills ("cramming"). [Source: William K. Rashbaum, *The New York Times*, 11 Feb 2004; PGN-ed] http://www.nytimes.com/2004/02/11/nyregion/11MOB.html
Authors in the news — unintentionally A software glitch exposed the real identities of book reviewers at Amazon's Canadian Web site — thereby revealing that some authors are in the practice of posting anonymous glowing reviews of their own work. [Surprise.] One defender of the practice is author John Rechy, who wrote a favorable review of his latest book, posting the review anonymously as "A Reader From Chicago." Rechy says: "That anybody is allowed to come in and anonymously trash a book to me is absurd. How to strike back? Just go in and rebut every single one of them." The glitch has since been unglitched. [AP/*San Jose Mercury News*, 14 Feb 2004; NewsScan Daily, 17 Feb 2004] http://www.siliconvalley.com/mld/siliconvalley/7955264.htm
On 15 Feb 2004, an article appeared in one of Israel's leading newspapers, *Maariv*, claiming a Trojan horse _might_ have been installed by Egypt in the Israeli Arrow anti-ballistic missile system. You can find an article I wrote on the subject, specifying the known facts at: http://www.math.org.il/arrow-trojan.html Also email@example.com +972-50-428610 (Cell) http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
In its report (released on 13 Feb 2004), a General Accounting Office study notes that CAPPS II (intended to pick out potential terrorists from among millions of air passengers) has run into "significant challenges" posing "major risks" to its deployment and public acceptance. Problems include overall system reliability and false positives, and resolving the rights of those falsely identified. Passenger-provided information would be outsourced to government contractors for analysis, the government would check supposedly validated identities against a watch list, and the result would be a green, yellow, or red risk rating for each would-be passenger. Allegedly only about 4% would be rated yellow, and "an average of only one or two people a day" would be rated red. [Remember that even a 1% false positive rate would mistakenly identify tens of thousands of travelers.] "But the GAO report found that the agency has not adequately addressed seven of eight concerns raised by Congress. These include preventing abuses, protecting privacy, creating an appeals process, assuring the accuracy of passenger data, testing the system, preventing unauthorized access by hackers and setting out clear policies for the system." GAO investigators concluded that, though the agency was making advances in all these areas, progress was incomplete. [Source: Ricardo Alonso-Zaldivar, *Los Angeles Times*, 12 Feb 2004; PGN-ed] www.latimes.com/technology/la-na-profiling12feb12,1,3293045.story ?coll=la-headlines-technology
GE Energy has now acknowledged the bug reported by SecurityFocus earlier this week ("Software bug contributed to blackout," RISKS-23.18). The AP reports that the company says it distributed an advisory and a fix to more than 100 utility customers last fall. http://www.securityfocus.com/news/8032
Given that VeriSign is strongly hinting that they'd like to soon restart their notorious and disruptive Site Finder domain diversion scheme (see: http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9.html), I believe it would be prudent for the Internet community to begin planning now for appropriate legal, business, and technical actions and reactions for that or related possible eventualities. The PFIR Forum on "E-Mail Issues, Problems, and Solutions": http://forums.pfir.org is available immediately for this purpose as a starting point (even though Site Finder issues transcend e-mail). I can spin off a separate forum for this discussion later if traffic and circumstances warrant it. We need to be discussing these issues now so that if and when VeriSign starts the clock on a Site Finder reactivation we won't be blindsided again. Also, any e-mail on this topic that is not suitable for the public discussion forum is invited at: firstname.lastname@example.org Lauren Weinstein email@example.com firstname.lastname@example.org email@example.com Tel: +1 (818) 225-2800 http://www.pfir.org/lauren http://www.factsquad.org >>> "The VeriSign Song": http://www.pfir.org/vs-song <<<
The Federal Trade Commission has cautioned computer users not to fall victim a Web site claiming to offer an e-mail version of the federal do-not-call registry. Despite the official-looking appearance of the site's URL, the "Do Not E-mail Registry" has no affiliation with the U.S. government, and is apparently a scam for collecting e-mail addresses on behalf of spammers. However, the site's operators say their registry serves "legitimate direct marketers" who want to make sure their mailings don't go to spam opponents. The e-mail addresses collected by the registry are made available to bulk mailers in an encrypted form allowing them to check for any overlap with their own mailing lists without seeing the actual addresses. [*The Washington Post*, 15 Feb 2004; NewsScan Daily, 17 Feb 2004] http://www.washingtonpost.com/wp-dyn/articles/A41490-2004Feb14.html
TiVo has always been very open about its data retention policy. It has the ability to review every IR command sent to the box and can track what people watch and how they watch certain programmes. When signing up to the TiVo service, people are explicitly asked if they want to opt-***IN*** to the monitoring scheme. Anecdotally, most people are happy to be monitored in the hope of improving the quality of TV programming. The RISK? Assuming that all data retention is unasked for, unwarranted and unhelpful!
> [The previous item] exemplifies some of the risks of allowing private > corporations to manage sensitive data without adequate government oversight. The item has nothing to do with government/private interaction, except for the fact that it was a government/private interaction. The risks apply to *any* sensitive database, public or private. Should we be asking for "adequate government oversight" of *private* databases? Trying to get sensitive work done on the cheap, without oversight, without verifying qualifications, is asking for trouble no matter who owns the database, no matter what's in the database. If the agency couldn't afford proper maintenance, the solution should have been to not have the database at all. The current administration does not have a monopoly on stupidity; it's quite abundant in the universe and easy to stumble over. Politicizing the risk only obscures the issue.
Many of you have probably noticed that people who use Earthlink can now opt for a challenge/response spam-protection system. As Earthlink implements this, the first time you send an e-mail to someone using this feature, you get an autoresponse directing you to a web page where you're supposed to prove yourself to be human, providing your name and optionally a short message. Do so and the message goes through. To defeat auto-completion of this web page by scripts they include an image showing five random letters, which is distorted in the hope of defeating OCR software. You're supposed to type in the five letters in a box in the web form. Only those images aren't all that random. Because of some business requirements I won't go into just now, I end up confronting this page quite frequently. And my web browser auto-completes forms-- which is nice, since I'm inevitably filling in the same information. What's surprising is that when doing this, my web browser often fills in the "random" image text correctly. It's not always right at first, but if I type the first letter (or sometimes the first two), it completes the rest of the letters correctly. Some experimenting indicates that in dozens of visits to this challenge page, I've only seen about a dozen distinct "random" text images. I hardly ever type more than the first one or two letters showing anymore. Getting one of 12 right on a random guess is a low success rate by most measures. But consider that the spammers who are supposed to be blocked by this are already operating a business model where one success in several million is reputedly enough to be profitable. Addendum 15 Feb 2004: Challenge/Response spam blocking I just wanted to add some additional information that's come to light in the past few days. 1. Earthlink's challenge-response system seems to be buggy. Today, despite numerous attempts, it keeps telling me I've misread the letters image, for multiple e-mails I'm trying to send. I have a couple of customers at Earthlink who are probably going to think I'm ignoring them, but Earthlink is just not letting me send them messages. After doing this a few times I decided to try their help link for visually-impaired people (I'm not visually impaired, but saw no other option). This directed me to an online web-based chat from which I was repeatedly disconnected until I gave up. Hopefully this customer won't be too upset at what would look to him like I'm not listening to him... Right now Earthlink's spam-blocker is so effective that it's preventing even legitimate e-mail from getting through. 2. As a side-effect of this I've discovered what happens if you enter the image text incorrectly (or at least the server thinks you've entered it incorrectly): You get to try again, apparently as many times as you like. Given my previously-discovered non-randomness of the challenge images, it'd be short work for a spammer to load up a script with a collection of correct answers to the challenge, and just have it keep trying until it gets the right one. As I've described previously, the set of correct answers is very small, so this would be nowhere near as challenging as a typical dictionary-style attack.
I needed to use my corporate travel web site today, after not using it since I first signed up. As you might expect, I had forgotten my password. To have a password mailed to me, I enter my user ID and request it. No problem, except the user ID is my Social Security number, and the password is mailed back unencrypted. In other words, anyone who knows my SSID and has access to the corporate mail system can hijack my account. My employer's travel web site is a service of getthere.com. Carl Fink <firstname.lastname@example.org> http://www.jabootu.com [We've been over this topic many times here, but the message still needs to be reinforced. PGN]
What the Rovers do not have is a simple precaution that would prevent the continuous reset loop that Spirit went through. A simple counter that tracked the number of resets per Sol, the mission timekeeping unit, would have allowed the Rover to degrade gracefully to an "Operator Intervention Required" state. The current strategy came close to putting Spirit into an unrecoverable condition; cut into useful life of the mission; and, most importantly, obscured valuable diagnostic information. The RISK? Using a reset to clear from unrecoverable errors can get you in trouble if the reset does not clear the root cause of the error state.
> Things have improved enormously since the early garage-door openers, many > of which opened and closed each time the orbiting Russian Sputnik went > overhead. I have not noted that marvelous case here since RISKS-8.38, PGN] This piqued my curiosity so I thought I'd look around. I've not found the Sputnik/garage door opening to be more than an urban legend and was wondering if you've references to the contrary. Most of what I've found seems to derive from the same source. It seems sunspots are a more logical conclusion. From alt.folklore.urban: The full link if you're interested: <http://www.google.com/groups?threadm=3BDFE8A4.3BE6D2FF%40midway.uchicago.edu> The 20MHz frequency of Sputnik was not used for things like garage door openers, which probably used the 27MHz frequency band (the same one used by CB in later years). That band was allocated by the FCC for low-power devices (under 100 milliwatt), including remote controls, and cheap toy walkie-talkies. It continued to be used for walkie talkies after CB became big, but other remote-controlled devices were moved off this band up into the VHF frequencies after the CB craze hit. [Can anyone provide evidence that this is NOT an urban legend? PGN]
Ian Jackson and Markus Fleck-Graffe (in RISKS 23.18) offer some technical criticisms of the SPF proposal. I am not competent to judge the networking pros and cons, but the e-mail system as it exists is most assuredly broken. My e-mail address has been public for years, and appears on my web site, which gets hundreds of thousands of visitors per month. I get a steady stream of unsolicited (yet valuable) personal mail from web site users. And I do get at least a couple hundred spam and virus/worm e-mails per day. I cope. But the junk has suddenly reached a new level. Starting in early January, some spamhaus started using my e-mail address in the From: and Reply-to: lines of a large quantity of bulk messages advertising a product claimed to change the size of a body part. As a result, I received thousands of bounce and rejection notices from all over the world. The flow diminished for a couple of days, then resumed in full force, as the spammer sent out new waves of bulk mail, now advertising a get-rich-quick scheme. It's February 13 now, and the bounces are still pouring in. Of course the actual miscreant is hidden because the spams themselves are originated from what are probably DSL or cable modem connected Windows machines under remote control by the spammers. For a while, I read headers and sent complaints about obviously compromised machines to abuse@ the applicable ISP, but some of those bounced, and most of the rest ignored me. Of course a lot of the spam-bounce messages didn't send enough of the headers back to even figure out who I could complain to. Especially annoying are nastygrams from spam detection services, which should know that spam headers are forged. I have also received rejection notices which announce that the e-mail was refused because it originated at or forwarded through a spammer-compromised server — so why are they sending ME a rejection notice? On top of this came the MyDoom outbreak. Almost every Windows-based virus or worm scans browser caches for e-mail addresses, where (mostly) webmaster addresses are to be found. Therefore, when an outbreak occurs, anyone with a popular web site suddenly gets thousands of copies of the latest plague. I can cope with that. But the malware ALSO uses the same list of found addresses to forge From: lines. Hence, thousands of virus/worm e-mails generated in other places have my address in the header. And when the recipient isn't deliverable, thousands of bounce messages come to me, and are obviously harder to filter out than the actual virus. Worse yet are virus protection programs which generate autoreplies to the forged address, to inform me that my server (a Unix box) is infected with MyDoom. Um, if your software is smart enough to recognize MyDoom (or any other virus of recent years), why is it too dumb to know that the From: line has nothing to do with the origin of the item? The critics of SPF suggest that spammers would simply find or invent other addresses to use. Frankly, I don't care about that, so long as they stopped plastering my personal address on hundreds of thousands of fraudulent and disreputable spam messages and viruses, and clogging my server's net connection with vast piles of misdirected bounces. Lawrence Kestenbaum, P.O. Box 2563, Ann Arbor MI 48106, email@example.com The Political Graveyard, http://politicalgraveyard.com
What are the RISKS of publishing a book on how to break software? What are the RISKS of pretending software exploits are really dumb and building lame technology to "stop" them? How do these RISKS trade off? Judge for yourself by reading *Exploiting Software* by Greg Hoglund and Gary McGraw (Addison-Wesley 2004). Early review: http://www.ieee-security.org/Cipher/BookReviews/2004/Hoglund_by_bruen.html Gary McGraw CTO, Cigital http://www.cigital.com
Please report problems with the web pages to the maintainer