The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 3

Friday 14 November 2003


Whirled-Wide Web
Bertrand Meyer
TAB operator error in punter's favour
David Shaw
Astonishing electronic voting "glitch"
Steve Summit
The computer is ALWAYS right
Charles Lamb
Re: California halts e-vote certification
David E. Ross
More on Diebold installing uncertified software in California
Re: A new risk for electronic voting
Steven M. Bellovin
Report raises more questions about voting machines
Belkin: Another protocol-violation-to-sell-products risk
Tim Bradshaw
New definition of "Fish 'N Chips"
Jim Schindler
Minnesota CriMNet shutdown
Steven Hauser
FBI's reach into records is set to grow
Monty Solomon
High-tech microscopes expose Americans' private lives
Monty Solomon
A heavily used RISKY website: France Telecom
Peter Kaiser
Holes found in online job search privacy
Brian Berstein via Monty Solomon
Security patching: a story from the trenches
Rex Black
Bank scam with spaces in trick URL
Mark Brader
Computers in cars: "When you add complexity you add risks"
Richard I Cook
Info on RISKS (comp.risks)

Whirled-Wide Web

<Bertrand Meyer <>>
Sun, 09 Nov 2003 11:50:46 +0100

Source: Le Monde, 30 October 2003,,1-0@2-3228,36-340095,0.html

Spiders are not new to the RISKS bestiary (see 18.46 and 18.58) but I don't
recall seeing this particular issue.  On 28 Oct 2003, the local listeners of
two national radio stations were surprised to hear that it was snowing in
Dinard.  That's a town in Brittany, which has a mild oceanic climate; snow
in October would be exceptional.  The error, corrected after half an hour,
was due to early-morning frost on the web woven by a spider on one of the
weather station's sensors.  "The computer" interpreted frost as snow,
enabling the regional management of Meteo France to claim that the sensor
functioned correctly.  (It did detect the frost!)  They added that that the
system has been working "perfectly" since its installation, to the great
satisfaction of its users.

Before that system was put in place, the airport employed three people to
gather weather data.  They have now been replaced by sensors.  The resulting
information, collected 24x7, is updated every 30 minutes and made publicly
available, in particular for pilots.

Daytime weather reports are checked by a human, but not those issued at night.

Bertrand Meyer, ETH, Zurich
Eiffel Software, Santa Barbara

  [Subject line PGN-spun]

TAB operator error in punter's favour

<David Shaw <>>
Fri, 14 Nov 2003 16:42:09 +1100

A punter [US: gambler] collected AUD$2.6 million after a TAB operator
incorrectly entered his trifecta bet on the 2003 Melbourne Cup, Australia's
most prestigious horse-race.  It seems this system offers the punter the
choice as to whether their bets are read back to them.  He phoned in a $6
trifecta 20 times for the winning combination of the Melbourne Cup.
However, the TAB operator mistakenly entered the bet 203 times, resulting in
the huge windfall.  He had elected not to have the bets read back and was
unaware of the error at the time.  On discovering the windfall in his bank
account, he called the TAB, expecting this to have been a mistake.  The TAB
rules state that if you do not have your bets read back to you, you are
forced to honor the bet, win or lose.  So, he was forced to accept the
winnings!  Quite a remarkable tale!  [PGN-ed]

Astonishing electronic voting "glitch"

<Steve Summit <>>
Wed, 12 Nov 2003 12:42:51 -0500

The *Indianapolis Star*
reported on the latest case of anomalous e-voting results.  Last Tuesday's
Boone County election, using MicroVote software returned about 144,000
votes, with only 19,000 registered voters.  After further review, the 5,352
votes were claimed to have been recorded.  With yet another mistake, does
anyone still trust closed-source electronic voting?  [PGN-ed]

It's interesting to wonder what might have happened if the initial
inaccurate result had not been so glaringly obvious ...

The computer is ALWAYS right

<"Charles Lamb" <>>
Thu, 13 Nov 2003 01:06:52 -0500

According to an article in the Newark NJ *Star-Ledger*, the town of
Southington, CT was testing the Avante International Vote-Trakker machine in
an actual election.  It had a special feature which displays a printout of
the cast vote for voter confirmation.  This feature was nullified by the
registrar who refused to do anything about a voter's claim her confirmation
printout didn't match her vote.

Re: California halts e-vote certification

<"David E. Ross" <>>
Sat, 08 Nov 2003 17:03:56 -0800

While the reported problem in Alameda County was that uncertified software
was loaded into the voting terminals, this is really far more serious.  The
security of Diebold's touch-screen voting system is so weak that someone
outside of Alameda County's election office (someone working for Diebold)
had access to make unauthorized changes to the vote-counting software.

David E. Ross <>

More on Diebold installing uncertified software in California

<"Peter G. Neumann" <>>
Thu, 13 Nov 2003 12:13:54 PST

The *Los Angeles Times* today has an article relating to Diebold's Accuvote
touchscreen voting machines, by Allison Hoffman and Tim Reiterman, entitled
"Secretary of State Orders Audit of All Counties' Voting Systems: Review of
upgraded touchscreen software leads to discovery that two registrars
installed it without state's OK."  Los Angeles Registrar Conny McCormack is
quoted as saying, "All of us have made changes to our software -- even major
changes -- and none of us have gone back to the secretary of state.  But it
was no secret we've been doing this all along.  [Secretary of State Kevin
Shelley] knew we were making changes.",1,531224.story

Shelley's news release announcing the investigation is online at

It must be noted (by PGN) that the Federal Election Commission standards
against which these systems have been certified are so weak that all sorts
of serious problems can remain despite certification.  But patching is
apparently commonplace AFTER certification.  In some cases, the software
actually has to be CHANGED to accommodate each different ballot face, and
think of what Trojan horses might be able to sneak in as a result of that!

Re: A new risk for electronic voting

<"Steven M. Bellovin" <>>
Sat, 08 Nov 2003 15:32:10 -0500

It's worth remembering that mechanical voting machines have their own risks.
The "programming" of the traditional lever machines still used in New York
is an arcane art, and in some ways less susceptible to auditing than
electronic machines -- each machine is set up individually, so every machine
is in some sense configured independently.  The write-in mechanisms are, to
say the least, arcane, and it's very hard for election officials to read
votes scrawled in a too-small space, with a blunt pencil, written at an
improbable angle.  (In my town a few years ago, there was a massive (and
successful) write-in campaign a few years ago, when it was discovered that
only three candidates were running for the three vacant seats on the school
board and one of the three was from a seriously fringe party.)

Me -- I avoided my county's touch screen machines by voting absentee -- I
was out of down last Tuesday, which let me qualify for a mark sense ballot.
Of course, I have no idea if it was actually readable, since there was no
check machine in the county clerk's office...

Report raises more questions about voting machines

<EPIC Info <>>
Thu, 13 Nov 2003 17:20:30 -0500

  (From EPIC Alert 10.23:)

The Congressional Research Service (CRS) of the Library of Congress has
presented to Congress a report entitled, "Election Reform and Electronic
Voting Systems: Analysis of Security Issues."  The report was written in
response to rising concern and questions regarding new electronic voting
systems after recent allegations that these systems use software that is
subject to alarming security vulnerabilities. The report analyzes the
controversy surrounding direct recording electronic (DRE) voting machines -
the first fully computerized voting system - while putting it in the larger
context of election practices and voting machine development.  It details
the types of threats and vulnerabilities that could jeopardize the voting
process, as well as the specific complaints broached by security experts.

While the CRS took pains not to take a position in the debate, it does
recognize that recent analysis demonstrates the existence of security flaws
in DREs, which are cause for concern.  As the report states, "at least some
current DREs clearly exhibit security vulnerabilities.  Those
vulnerabilities pose potential ... risks to the integrity of elections."  It
goes on to list a number of different proposals being advocated to address
these vulnerabilities, including ensuring that security protocols are
followed, improving the standards and certification process for voting
machines, use of open source computer code, and improvements in
verifiability and transparency.  The last point is one that computer
scientists and voting activists have been pushing for, specifically by
requiring voter-verifiable paper print-outs of vote selection for voters to
review.  The CRS stops short of issuing any recommendations, but does
indicate that further investigation and action should be taken regarding
this matter.

The CRS Report on electronic voting is available at:
For background information, see EPIC's Voting page at:

Belkin: Another protocol-violation-to-sell-products risk

<Tim Bradshaw <>>
Wed, 12 Nov 2003 13:33:42 +0000

The Register ( has been
reporting a Belkin wireless router which, once every 8 hours, picks an HTTP
request and redirects it to a web page advertising Belkin's parental-control
system.  Belkin seem to have now
( promised a firmware
upgrade which disables this feature.  How many people will install it is
another question.

Other than the obvious offensiveness of this kind of thing, there are
horrible dangers involved.  I could be half way through some transaction
over the web, and have my *router* unilaterally, decide to redirect my
requests somewhere else.  Worse, a *program* could be doing it, and it might
not even spot that something odd had happened.  Any cache this side of the
router will get randomly poisoned, and so on. This is just a stupid,
dangerous thing to do.

Together with the recent Verisign `Site Finder' service reported in
RISKS-22.91, this seems to be the beginning of something new and, I think,
worrying: important protocols (such as routing or DNS) are being usurped to
sell advertising.  Both of the cases mentioned here are sufficiently clumsy
that they're likely to have hurt the usurper more than the users of these
protocols, but I suspect things will be more subtle and insidious in due
course.  There's nothing wrong with advertising as such, but if it results
in an infrastructure where no one can trust anything to actually work the
way it is meant to, I think there's a significant problem.

New definition of "Fish 'N Chips"

<Jim Schindler <>>
Wed, 12 Nov 2003 22:56:36 -0800

Chips in Fish Help Net Australian Cod Poachers, 6 Nov 2003

Australian fisheries investigators have wrapped up [with fish wrap?] an
illegal poaching operation after inserting microchips into fish then
tracking them to the culprits' freezer, officials said.  Victoria state
Fisheries Minister Bob Cameron said the hi-tech sting began when officers in
his department found an illegal fishing net in a creek in the state's
northwest.  The officers inserted microchips under the skin of the golden
perch and murray cod caught in the net then returned them and waited for the
poachers to turn up.  The fish had disappeared a day later and when officers
stopped the poachers' vehicle they could find no trace of the
animals.  However, a subsequent search of their home uncovered fillets in the
freezer, complete with microchips still emitting signals to the fisheries
officers' tracking devices.  [...]

  [Thus restoring cod peace to its perch in the "inter" net?  PGN]

Minnesota CriMNet shutdown

<Steven Hauser <>>
Sat, 8 Nov 2003 12:00:24 -0600 (CST)

Minnesota has a large database of millions of records of police activity and
incident data compiled on its citizens. The data is not owned by the
government but an extra-legal private entitity, the Minnesota Chiefs of
Police Association. This alone is scary, no recourse for inaccuracy, no way
to assure data is not leaked or used for political or commercial purposes.
News articles show it may have been used in political demonstrations to
target citizens.

Good "death squad" database.

It was also hacked by an unidentified whistleblower who gave State
Representative Mary Liz Holberg supposedly private data about herself.  The
cops are pressuring the Representative to turn over the whistleblower for
prosecution, but the Representative has not yet squealed.  This incident
caused the system to be shut down.

Google search on CriMNet or MJNO to get more articles.

  [The Internetted system is of course thought to be secure because it is
  password protected!  There's a LONG article by Patrick Howe.  PGN]

FBI's reach into records is set to grow

<Monty Solomon <>>
Thu, 13 Nov 2003 01:12:31 -0500

A little-noticed measure approved by both the House and Senate would
significantly expand the FBI's power to demand financial records, without a
judge's approval, from securities dealers, currency exchanges, car dealers,
travel agencies, post offices, casinos, pawnbrokers and any other
institution doing cash transactions with "a high degree of usefulness in
criminal, tax or regulatory matters."
  [Source: Eric Lichtblau, *The New York Times*, 12 Nov 2003; PGN-ed]

High-tech microscopes expose Americans' private lives

<Monty Solomon <>>
Thu, 13 Nov 2003 00:51:20 -0500

Don Campbell, USA Today, 10 Nov 2003

Too many of us [accept] the argument that the concept of personal privacy in
the Internet era is as outdated as the Model T.

Americans can get pretty upset about the ways in which modern technology
drives us nuts - such as telemarketers who disrupt our dinner and spam
e-mailers who make pornographic sales pitches.

But a more insidious invasion of Americans' privacy quietly has taken root
in Florida. It has received little attention from the media except in
Florida and a handful of other states being recruited to join the
enterprise. The project underscores how our fascination with technology
blinds us to violations of our privacy - and highlights the inadequacy of
today's mishmash of federal and state privacy laws.

"MATRIX," an acronym for Multistate Anti-Terrorist Information Exchange, is,
according to its creator, the largest database on the planet, with more than
20 billion records. Working with the Florida Department of Law Enforcement
(FDLE) and $12 million in federal funding, a company called Seisint designed
MATRIX with the objective of compiling an electronic dossier on every
citizen in the nation.

Not surprisingly, the cover story is that MATRIX is needed to fight
terrorism. If that doesn't ping the strings of your patriotic heart, it's
also being touted as the cat's meow when it comes to catching kidnappers and
child molesters.  ...

A heavily used RISKY website: France Telecom

<Peter Kaiser <>>
Thu, 13 Nov 2003 18:29:40 +0100

I am not in France at the moment, but I need to order telephone service in
France, so I went to France Telecom's web site, which advertises itself as
secure.  One eventually finds a button for the order page: a popup window
with minimal decoration and no outward indication of security -- that is, no
"locked/unlocked" symbol.  The page asks for exactly the kind of information
you don't want to become public, including bank details, etc.

It isn't secured.  The information isn't encrypted before being sent.  I
informed France Telecom of this by e-mail, including mentioning that the
page appears to violate European law on the protection of personal
information.  A customer service representative replied:

  "Thousands of orders are placed on every day, we have
   not been informed of problems encountered as a result of orders made on
   our site."  [P-K's translation.  PGN]

I'm not reassured by this glib response, traditional though it may be.

The customer rep gave a number to call to order service by telephone, but
that number -- as she knows, just as she knows I am not in France -- is
unusable outside France, which places added pressure to use the unsecured
website.  If France Telecom left the security symbol on the order page, at
least people would have the information to make an informed choice of
whether to proceed, but it has been deliberately hidden.  And the informed
choice is irrelevant to the laws protecting personal information; those are
an obligation on the business, not a choice by the client.

Directing "thousands" of such orders daily, unencrypted, to a well-known
Internet destination is a risk for both the customers and France
Telecom.  Perhaps France Telecom considers identity theft a uniquely
American crime, but I wonder if anyone at a responsible level is aware of
the legal issues under European law of protecting exactly this kind of
information.  European courts seem to take these issues seriously, I'm glad
to say.

Holes found in online job search privacy (Brian Berstein)

<Monty Solomon <>>
Wed, 12 Nov 2003 08:41:05 -0500

  Brian Bergstein, AP Online, 11 Nov 2003

Some career Web sites, recruitment services and automated job-application
kiosks offer flimsy privacy protections and might even violate employment
and credit laws, a report released Tuesday asserts.  Many job sites still
let too much information from resumes posted online get into the hands of
third parties through online "cookies" that monitor Web surfing, according
to the report, led by Pam Dixon, formerly of the University of Denver's
Privacy Foundation and now head of her own group, the World Privacy Forum.
The report also faults self-service job application computers commonly used
by chain stores.  It says they almost always demand social security numbers
and perform background checks on applicants without clearly stating who will
see the information.  Dixon is urging job seekers to demand more stringent
privacy protections.  She also wants the Federal Trade Commission and the
Equal Employment Opportunity Commission to look more closely at how job
sites and recruitment services handle information.  ...

Security patching: a story from the trenches

<Rex Black <>>
Sat, 08 Nov 2003 13:53:00 -0600

I have a Dell Latitude running Windows 2000 with service pack 2 (I believe).
It is my back-up laptop.  While on a business trip to Denver, my regular
laptop suffered a failure due to a poorly-designed and poorly-tested power
connector on the motherboard (another story).  No problem, thought I, I'll
use the Dell laptop.  I had about five days between my return from Denver
and my departure on my next trip to Tel Aviv.

Given all the security nonsense going on, I felt compelled to install the
latest security patches from Microsoft's Web site.  During the course of the
first attempt to do so, my system was infected by the Blaster Worm.
Fortunately, I have Symantec's Ghost utility running on the system, and I
could revert to the old OS install and start all over.

This time, I resolved to install--and update--Norton Internet Security and
Norton Antivirus prior to loading the security patches.  During the course
of updating the security and virus definitions, my system was again infected
by the Blaster Worm.  However, this time around, with the help of
information and a free utility on Symantec's Web site, I was able to remove
the worm.

I then went to apply the security patches again.  This time, one of the
patches did something untoward to my system and it started crashing.  Since
three days had passed at this point and I was due to leave for Tel Aviv
soon, I didn't have time to isolate the bug.  My guess is that the patch was
not compatible with my particular system configuration.

So, I reinstalled Windows 2000 from the Ghost image yet again, reloaded all
my applications yet again (including Norton Internet Security and Norton
Antivirus), updated the security and virus definitions yet again (escaping
infection this time), and skipped the security patches.  I'm going to trust
Norton Internet Security, Norton Antivirus, and daily updates to those
programs to protect me, because I can't trust the Microsoft security patches
to be adequately tested.

Salient points:

1. One major quality risk for patches of any kind is regression (the failure
of what heretofore worked).  For any emergency patch, there is simply no
time to repeat all the tests run against the regular release.  Since
security patches might well involve code deep within the operating system,
it's no surprise to me that this failure to adequately regression test the
patches resulted in a major incompatibility bug escaping to the field.

2. Regression bugs, particularly those where new code breaks existing
functionality, can easily result in a maintenance release or patch resulting
in a lower (rather than higher) level of system quality.  Regression bugs
might be relatively rare, but, as this case points out, they can be very

3. It was already frustrating to have to spend about a day moving all my
data and applications from my primary laptop to my backup laptop.  Almost
all of that time was spent installing applications on the backup system.

4. Add to that frustration the fact that I had to go through the "install
OS-reinstall apps-update apps" process three times--twice more than had the
problem not occurred in the first place.

All told, rack up three lost days of productivity to security bugs and
general clunkiness in the Microsoft OS.  At my usual consulting rates,
that's thousands of dollars of lost time.  Will Microsoft reimburse me for
that?  No way.  Does that experience make me receptive to the idea of
switching to some other desktop platform (Linux, Mac, whatever)?  You bet.
Am I more-than-ever convinced of the importance of thorough testing,
including regression testing, of any software release?  Absolutely.

Rex Black Consulting Services, Inc., 31520 Beck Road, Bulverde, TX 78163 USA
+1 (830) 438-4830

Bank scam with spaces in trick URL

< (Mark Brader)>
Thu, 13 Nov 2003 17:23:45 -0500 (EST)

We have previously seen examples of scams involving a trick URL, where the
part immediately after "http://" is not the real domain name.  But here now
is a variant that I haven't heard of before -- making cleverly deceptive use
of spaces.

A former co-worker, Donald Teed, reports receiving what at first looked like
one more normal message from an Internet-aware company.  He describes it as
follows: "The e-mail will appear to come from the bank, using the correct
domain, and the link in the e-mail will appear to be a link to the bank,
using the correct URL."  The bank in this case was Capital City Trust
<>.  But the actual URL was like this:

  <a href="


Where you see a row of 0's, I have replaced the characters that were
originally there, to prevent anyone from following this link by accident.
Where you see blank lines, there were originally a large number of spaces.

So the link claims to go to, and if your browser shows you
the URL before you select the link, it'll be truncated to a reasonable
length and you'll see the part before the row of spaces and *still* think
it's going to

And then when you get to the actual site, which is at,
you'll find, as Donald says, "a complete clone copy of the bank's actual Web
site" -- only, of course, what it does is capture your account and password
information so the bad guys can impersonate you.

There are days when I'm really glad I don't read e-mail in a Web browser.

Mark Brader, Toronto

  [The site has now been shut down.  PGN]

Computers in cars: "When you add complexity you add risks" (R-23.02)

<Richard I Cook <>>
Thu, 13 Nov 2003 07:36:58 -0600

The reporter noted a consumer asking, "Why does it have a computer that
reads the problems if they can't fix them?"

Although it makes me a bit of an old geezer to admit it, Bill Karcher framed
this idea in the early 1970's. One of the systems software heavies from
Control Data Corporation (the original 'supercomputer' maker), Karcher's Law
was "Don't check for error conditions you are not prepared to handle." This
was particularly important when memory and processor cycles were at a

The problem described by this reporter is a common one, namely, "punt to the
user" style systems. The idea that the user will be able to manage all the
fault conditions that the computer can detect leads, inexorably, to
unusuable systems. Of course, even if the history of such a system is that
it produces lots of false or misleading information or behaves strangely or
unintelligibly, whenever an over failure does occur, the user will be blamed
for having ignored the warning.

Please report problems with the web pages to the maintainer