The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 50

Thursday 26 August 2004


Sequoia's new paper audit trail voting systems
New Mexico votes lost in 2000
Jeremy Epstein
Mac Year 2004 bug
Tom Van Vleck
Ford dumps Oracle system after four years of trouble
Lindsay Marshall
Don't get stuck in the dark: a year later
Jeff Jonas
U.S. air travel without government identification
Dan Wallach
U.S. military sites offer a quarter million Microsoft Word documents
Diomidis Spinellis
The GTS Katie - A risk of privatization or outsourcing
Joshua Newman
Fire engine startup risks
J.D. Baldwin via Gary G. Taylor
Google as back door for pay-per-view information
Sergei Lewis
Network vandals face prison sentences
"EXIT" signs too high
Henry Baker
Re: U.K.: Don't smile for your passport picture!
James Moyer
Michael Bednarek
Re: Airport Express crypto broken by DVD Jon
Marshall Clow
REVIEW: "Computer Security for the Home and Small Office", Thomas C. Greene
Rob Slade
Info on RISKS (comp.risks)

Sequoia's new paper audit trail voting systems

<"Peter G. Neumann" <>>
Wed, 18 Aug 2004 14:28:09 PDT

Sequoia Voting Systems has developed a voter-verified paper audit trail for
their touch-screen voting system, which will be used in Nevada's state
primary election.  When it was demonstrated for California Senata staffers
earlier in August, the audit trail failed to record votes that testers had
cast.  Sequoia advertises that its touch-screen machines provide "nothing
less than 100 percent accuracy."  [Source: Kim Zetter, Wrong Time for an
E-Vote Glitch, Wired News, 12 Aug 2004; PGN-ed] [Kim did not report whether
the *electronic* version was correct, although in that the paper version is
supposed to be IDENTICAL in the end-results, that is itself suspect.  By the
way, for those of you wondering about ownership, Sequoia is not a US-owned
company.  PGN],2330,0-1246-64569,00.html

New Mexico votes lost in 2000

<Jeremy Epstein <>>
Mon, 23 Aug 2004 07:26:56 -0400

According to a WashPost article, at least 678 votes were entirely lost in
one county in New Mexico in the 2000 election.  In one of Rio Arriba
county's voting districts, not a single vote was recorded for either Bush or
Gore, and in another district not a single vote was recorded for any
candidate for any office.  The problem occurred with "early voters".
Because it's all electronic (no paper audit trail), there's absolutely no
record of what the votes should have been.

The problem wasn't a bug in the software per se, or an attack on the voting
machines, but rather an error in how the county election officials entered
the information about the races.  The error was discovered after the
election that only affected early voters, but by that time the votes were

For all those election officials who say "it can't happen here", let this
be a warning!

And BTW, the number of lost votes in that one county is greater than Gore's
victory margin in New Mexico.  Lest anyone think accurate voting is a
partisan issue, this is one where it could have swung the state to Bush.
Had Gore won Florida, New Mexico's five electoral votes would have decided
the election.

Mac Year 2004 bug

<Tom Van Vleck <>>
Thu, 26 Aug 2004 11:47:13 -0400


[Jo Lejeune] Following John Delderfield's report on sudden expiry date
message in Canvas 3.5.5, we've also faced this issue last week.  After
contacting (now owned by ACD Systems), we've received detailed
info about this Canvas 3.5 Mac "Year 2004" bug :

To make a long story short, Canvas maintains a counter for date/time
settings. In the Mac architecture, the theoretical start date for all clocks
is 1904. All times from there forward are measured after 1904. As this value
increases in size, it reached the limit in terms of the allotted length for
that string in the Canvas 3.5 Mac code. Once it hits that limit, it begins
to count in negative numbers, thus triggering a Canvas expiration.

The existence of the dialog box regarding an expiration is because the
installation code for Canvas 3.5 was the same code used for trial, NFR, and
Beta versions. So when the date count flips to negative because of this bug,
Canvas is considering that negative date to reflect that it's a
trial/NFR/beta copy and is expiring it.

Interestingly, we believe this same thing could happen on Windows, but
because Windows has a clock start date of 1970, the problem wouldn't
manifest till 2070.

Unfortunately, according to the same source, since "the source code and
compilers for 3.5 are not accessible at this time to allow any patches" the
only workarounds are :

  * use the mechanism for exporting files out into other formats
    (the EPSF format is really effective while exporting to Illustrator)

  * rolling the Mac clock settings back (only a temporary workaround)

As a more long-term solution Deneba can only recommend an upgrade to Canvas
9 (which will open all Canvas 3.5.4 or higher files directly).

Ford dumps Oracle system after four years of trouble

<"Lindsay Marshall" <>>
Wed, 18 Aug 2004 09:04:28 +0100

After four years of trying to integrate Oracle's eVEREST Internet-based
purchasing software with its own existing systems, and having spent in
excess of US$200 million, Ford is reverting to legacy systems (which
fortunately are still operative).  Many factors were reportedly involved,
although they were not specified other than supplier complaints.  [Source:
Reuters, 18 Aug 2004; PGN-ed]

Don't get stuck in the dark: a year later

<"Jeff Jonas" <>>
Sat, 21 Aug 2004 05:16:01 -0400 (EDT)

For the one year anniversary of the power failure, folders were handed out
at the train station "Don't Get Stuck In The Dark": trans-hudson
transportation options.  It lists the trains, busses and ferries and their
terminals to consider options if any are closed (due to power fail, too many
Republicans, etc.).

Just like the recent IEEE Spectrum article says, a year later and we're not
any more prepared than before, and only resigned to accepting that more
power fails are possible and even likely.  I'd assert this is yet another
indication that the Patriot Act ought to be repealed and the Homeland
Security program de-funded.  After 2 years our vital infrastructures are NOT

U.S. air travel without government identification

<Dan Wallach <>>
Thu, 19 Aug 2004 19:41:02 -0500

Recently, John Gilmore has been publicly decrying the unstated Federal
requirement that one must present government-issued identification (e.g., a
driver's license) in order to travel via air within the U.S.  Unfortunately
for me, I got to test this requirement on a recent trip to give a talk at
Fermilab when I managed to leave my driver's license at home.  Here's what

For what it's worth, I've recently taken to carrying two wallets.  The large
one has my money, credit cards, receipts, and other assorted junk.  The
small one has my business cards and the two ID cards I most often need: my
driver's license and my university ID card (a magstripe card that I need to
get into my building after hours).  In order to make my flight at the
ungodly hour of 7:35am, I had to get up quite early.  In the confusion of
the morning, I managed to leave the little wallet at home.  I didn't notice
this oversight until I was standing in front of the ticket counter at
7:00am.  In order to have gotten my driver's license, I would have had to
miss my flight.  Instead, I decided to see how the system would work without

== Intercontinental Airport: Houston, Texas

I pleaded my case to the Continental ticket agent.  "Do you have any picture
ID on you at all?"  Nope.  I showed her my Continental frequent flyer card,
my credit card, and my social security card (which I probably shouldn't have
had in my wallet, but that's a story for another day) as well as my boarding
pass, printed that morning on my home computer.  She escorted me to the
security guard, with all my cards in her hand, and briefly described the
situation.  The guards expressed some confusion, but decided to let me
through.  After that, everything proceeded normally.

== Fermilab: Suburban Chicago, Illinois

My hosts at Fermilab had helpfully arranged a rental car for me.  It dawned
on me that I'd never get out of the rental car lot without a driver's
license.  I called Fermilab's travel agent and explained my predicament.  As
it turns out, Fermilab has a limo service that they regularly use.  The
travel agent made a reservation for me with the limo service, who happily
picked me up at the airport and delivered me to Fermilab.

If you're into high-energy physics, you know all about Fermilab.  For the
rest of us, they have a ring, about 1km in radius, around which they fling
protons and anti-protons at very high energies, arranging for them to
collide inside a massive detector.  Those high-energy collisions cause all
sorts of interesting subatomic particles to come flying out, hopefully to be
detected by a variety of impressive devices.  (My high school physics
teacher quipped that it's like trying to learn how cars work by smashing
them together and seeing what falls out.)  Before September 11, the Fermilab
campus was wide open, and the locals could go fishing in the lake, jogging
around the ring, and so forth.  These days, you have to go to a guard shack.

Visitors get a limited pass and are instructed to only go to specific places
where they're allowed (e.g., the education center).  I'd been told that a
badge would be waiting for me.  The guard asked for my ID.  "Let me tell you
a story," I began.  Ultimately, the guard had to telephone my hosts who
drove down to the guard shack to pick me up.  After that, it was smooth

== O'Hare Airport: Chicago, Illinois

Everybody to whom I'd told this story was amazed that I'd gotten as far as I
did, and I was repeatedly warned that O'Hare security was quite stringent.
Just to make sure, I had the limo get me to the airport a full two hours
before my 11:00am flight.  I printed out my boarding pass using the
Continental kiosk, using my credit card to authenticate myself to the
system, and then explained my story to the ticket agent.  "Do you have any
government issued ID?"  Sorry, no.  She wrote "SSSS" in big letters on my
boarding pass, highlighted it in pink, and pointed me at the security
checkpoint: the special security checkpoint without a line in front of it.
I walked up and presented my boarding pass to the guard. "ID?"  I began my
story, but the only phrase that seemed to matter was "No ID", which she
wrote onto my boarding pass.  She then wrote "SSSS" again and circled it,
also circling the original pink-highlighted copy.  On I went.  First the
normal X-ray machine, take your laptop out, etc.  Then, on the other side,
they gave me the extended treatment, which normally occurs when I've been
"randomly" selected.  They X-rayed my shoes, swabbed my laptop for
explosives, and unzipped every compartment of my luggage.  After I passed
all of those tests, they let me through, never once examining any of the
cards I had in my wallet.

Moral of the story

While my story is hardly the same thing as a conclusive examination of the
policies of all major U.S. airports, my experience shows that it is, indeed,
possible to do interstate air travel without a driver's license.  You're no
longer using the "fast path" of the airport security apparatus, and there is
clearly some variation in how the rules govern your slow path through the
system.  However, if you're willing to put up with the "SSSS" treatment,
then it appears that you can legally travel by air within the U.S. without a
government-issued ID.  (Gilmore acknowledges this in his lawsuit, which is
focused on finding out where the requirement for presenting ID came from, in
the first place.)


As a Continental frequent flyer, I was invited to show up at the airport to
be measured for a new biometric-based system that they've installed in
Houston. (I think it measures fingerprints, but I'm not entirely sure.)  I
was out of town, and thus unable to give that system a shot.  They do
require several forms of ID to get yourself registered, so it will have to
wait for another day.  Maybe I'll give it a try and write something about it
later for RISKS.  For all the known issues with biometric authentication,
it's quite difficult to leave your fingerprints at home in the wrong

U.S. military sites offer a quarter million Microsoft Word documents

<Diomidis Spinellis <>>
Wed, 25 Aug 2004 23:33:02 +0300

I was Google-searching for the Air Force Operational Test & Evaluation
Center publication "Software Maintainability - Evaluation Guide".  To
make my search more efficient I restricted it to military (.mil) sites,
using the Google keyword "".

I was not able to find the publication I was looking for, but was surprised
to see a number of Microsoft Word documents in the search results.  Most
comp.risks readers are surely aware that earlier versions of Word, running
on earlier versions of Windows would include in unused portions of the
document file anything that was previously in the memory space where Word
was executing.  A number of past comp.risks articles have documented
embarrassing incidents of confidential data leaking through Microsoft Word
documents; see for example RISKS-17.76, Thomas Gebe, "Risks of using
Microsoft Word", and RISKS-21.40, Clive Page, "Word file turns into two
disjoint texts".

I then modified my search to look for Microsoft Word documents made
available on the web by US military sites:

The search reports about 266,000 results.  I am aware that the US military
implements a strict separation policy between operational computers and
machines connected to the Internet, and that truly confidential data is
probably stored in multilevel secure systems protected by mandatory access
controls.[*]  However, I doubt that no gems are to be found in such a large
volume of inherently leaky data.

Diomidis Spinellis -
Athens University of Economics and Business

  [* Probably not multilevel secure.  More likely "system high" all
  aggregated together at a particular level such as Top Secret.  PGN]

The GTS Katie - A risk of privatization or outsourcing

<Joshua Newman <>>
Tue, 24 Aug 2004 14:00:55 -0700

To summarize this rather odd story in a single sentence: For almost two
weeks in July 2000, about 10% of the Canadian Army's equipment and a number
of Canadian soldiers were made unavailable because the GTS Katie, a
privately-owned American vessel carrying them home to Canada under a
contract with the Canadian Government, became embroiled in a financial
dispute between subcontractors; its owners, Third Ocean Marine Navigation,
refused to deliver the troops and materiel until the dispute was resolved.
Finally the ship was boarded and taken over by Canadian military personnel
and escorted by Canadian warships to port.

Fire engine startup risks (J.D. Baldwin)

<"Gary G. Taylor" <>>
Wed, 18 Aug 2004 14:59:14 -0700

>From a discussion on scarydevilmonastery. Here's the original post, pasted
>from google groups; the thread continues:

From: J.D. Baldwin (
Subject: This is why people hate computers

View this article only
Newsgroups: alt.sysadmin.recovery
Date: 2004-08-15 11:58:00 PST
I've been ranting and raving, with monotonically increasing intensity
(both here and IRL), about how much more computers in general are
sucking now than they did a few short years ago -- and about how the
trend shows no sign of changing.  But this is real Next Level stuff.

A warning note from one of the deputy fire chiefs in the city
department in which I am a part-time firefighter:

    With [certain trucks], there are computers that activate when
    the ignition is turned on.  The computer diagnoses several
    system checks on the engine prior to it starting.  If you do
    not allow the computer to complete its system check prior to
    starting the engine, the engine will start, but then
    immediately shut down.  You then have to wait several minutes
    to allow the computer to reset before the engine will start.
    I would recommend the following procedure to be followed to
    prevent this from occurring.

    1.  Turn the ignition switch on.

    2.  Watch your instrument panel at the top of the dash and it
        will show all the checks that are occurring.

    3.  All the indicator needles on the gauges will move almost
        completely on the dials and then return to their normal

    4.  When the gauge indicators return to their normal position,
        you can then start the engine.

Okay, let me get this straight:  you have taken the simplest technical
procedure known to man -- starting a vehicle -- and turned it into a
... well, not a *complex* operation, exactly, but what the hell kind
of "computer" can't handle a quick reset?  Some driver gets just a
little overexcited, and turns the switch in one smooth motion to
"start" (you know, the way everyone starts every other car in the
world?), and now the apparatus is out of commission for "several
minutes"?  So a fucking COMPUTER can pull its head out of its ass?

Meanwhile, of course, someone is having a heart attack, or perhaps his
house is burning down with a kid inside, or ... you get the idea.

Google as back door for pay-per-view information

<Sergei Lewis <>>
Mon, 23 Aug 2004 13:08:07 +0100 (BST)

Google's bot is often allowed to crawl areas of sites normally restricted to
subscription-only or pay-per-visit customers. This practice risks rendering
the site content vulnerable to automated retrieval from the Google cache.

More here:

Network vandals face prison sentences

<"NewsScan" <>>
Thu, 05 Aug 2004 08:06:50 -0700

Pleading guilty to attempts to hack into the national computer system of the
Lowe's home improvement chain and steal credit card information, three
Michigan men now face sentences of up to 25 years in prison. In the
indictment, federal prosecutors had said that the men accessed the wireless
network of a Lowe's store and used that connection to enter the chain's
central computer system and eventually to reach computer systems in Lowe's
stores across the country. Lowe's executives say the men did not gain access
to the company's national database and that all customers' credit card
information are secure.  [*San Jose Mercury News*, 5 Aug 2004; NewsScan
Daily, 5 August 2004]

"EXIT" signs too high

<Henry Baker <>>
Fri, 13 Aug 2004 13:39:44 -0700

This is not a new risk, nor is it even computer-related.  However, many
reading this list travel a lot, so I thought it might be informative.

I've noticed that all hotels provide "EXIT" signs, but they are all up near
the ceiling.  Unfortunately, in the case of a fire, there will also be smoke
up near the ceiling, so you'll never see these EXIT signs.

This is why airplanes have installed light systems on or near the floor, so
you can crawl your way to an exit if necessary.

What will it take for hotels and other public facilities to move their exit
signs down to locations where they might actually be useful in the case of a
real fire?

  [Although out of the RISKS mainstreams, this item has some relevance
  because of the lack of emergency environmental foresight, which also
  arises in some computer-based systems.  PGN]

Re: U.K.: Don't smile for your passport picture! (RISKS-23.49)

Thu, 19 Aug 2004 21:37:00 -0700 (PDT)

The non-smile requirement for UK passport pictures has also been adopted by

Interestingly, biometric systems probably work best with non-color
photos. After all, humans work best with non-color photos (the definition of
the face comes out strongest in black and white. Even today, headshots used
by actors are black and white for this reason.)

Given this, photo ID cards should have always been in black and white, why
they are in color remains a bit of a mystery to me.

Re: U.K.: Don't smile for your passport picture! (RISKS-23.49)

<Michael Bednarek <>>
Mon, 16 Aug 2004 13:05:06 +1000

This contrasts with the position of passport officials in Germany who,
reluctantly, allowed a man to stick out his tongue on a passport photo.
He had to sign a statement exculpating the officials of any consequences
of the risks of such a photo at foreign border patrols.

Michael Bednarek, IT Manager, Tactical Global Management
Waterfront Pl, Brisbane 4000, Australia.

Re: Airport Express crypto broken by DVD Jon (RISKS-23.49)

<Marshall Clow <>>
Sun, 15 Aug 2004 07:19:02 -0700

>Jon "DVD Jon" Johansen has cracked the Apple Lossless encryption ...

This seems unlikely to me.

In the first place, there is no such thing as "Apple Lossless Encryption",
but rather "Apple Lossless Compression".  What appears to have happened is
that Mr. Johansen has found the RSA key used to communicate with the Airport
Express - a completely different accomplishment.

[Note that he doesn't claim to be able to create "Apple lossless"
files, but rather to send them to the Airport Express base station.]

Marshall Clow     Idio Software   <>

REVIEW: "Computer Security for the Home and Small Office", Greene

<Rob Slade <>>
Tue, 17 Aug 2004 08:46:31 -0800

BKCMSCHO.RVW   20040727

"Computer Security for the Home and Small Office", Thomas C. Greene,
2004, 1-59059-316-2, U$39.99/C$57.95
%A   Thomas C. Greene
%C   2560 Ninth Street, Suite 219, Berkeley, CA   94710
%D   2004
%G   1-59059-316-2
%I   Apress
%O   U$39.99/C$57.95 510-549-5930 fax 510-549-5939
%P   405 p.
%T   "Computer Security for the Home and Small Office"

Thomas Greene asked me to do the technical review for this book, which
speaks to his bravery, regardless of what it says about his wisdom.  So
there's no point in pretending that I'm unbiased here.  However, I must say
that I was bracing myself for yet another security book by a writer rather
than a techie--and was delightfully surprised, right from the beginning, at
how useful Greene's material was.

The "Introduction" is a bit unusual: it doesn't lay out the theme or
structure of the book, but jumps right into dispelling myths and making
suggestions.  You will be introduced to the fact that Greene is an Open
Source/Linux ... well, fanatic might be too mild a term, extremist might be
closer to reality.  There is also a section on how to get, and configure,
the Mozilla Web browser for safer surfing.

Chapter one deals with the dark side of computing, and a variety of
attendant risks.  The descriptions sometimes gloss over technical niceties,
but the assessment of threat levels is more reasonable than in most similar
works.  Vulnerabilities and means of attack are presented in chapter two.
An excellent and helpful list of Windows services that most users can turn
off at no cost to function (and considerable addition in safety) is
provided, as is a similar list for Linux.  A sensible review of social
engineering is presented in chapter three.  More advanced tools are
introduced in chapter four, but, in contrast to many similar works, the text
goes on to provide explanations and suggestions on use.

Chapter five explains many places where information may be stored on your
computer (and network) in the course of normal operations, and how to clean
up after yourself.  Greene really lets himself go in his promotion of Linux
and Open Source software in chapter six, presenting sanguine arguments.  In
chapter seven, a number of anecdotes are used to support the idea that you
can learn about the computer and take control of your own safety, without
having to live in fear of the unknown, or be dependent upon consultants of
unknown competence.

This book presents material for the intelligent but non-specialist computer
user.  The text is readable, and the content useful.  It does not cover the
entire range of computer security, but it does provide valuable information
for those who rely on computers for their work, and would like to achieve a
level of security that is significantly higher than that available by
default, without having to spend a great deal of time and money on it.
Particularly for the Windows XP user, this is my primary endorsement for a
computer security book.  I would also recommend the work to security
professionals, at least as a reference, since it contains Windows
configuration that system administrators should know, and the vast majority

copyright Robert M. Slade, 2004   BKCMSCHO.RVW   20040727    or

Please report problems with the web pages to the maintainer