The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 58

Thurs 4 November 2004


Some thoughts on the 2004 U.S. election process
Touchscreen voting spawns glitches
Preferential voting software breaks down in San Francisco
Clocks set back a week too early
Dave Stringer-Calvert
Nuclear Regulatory Commission lab info on Web
Dave Brunberg
Battlefield Robotics are risk to the world public
Edward G. Nilges
Spyware epidemic threatens to stall computer industry
Swedish Hospital forces persons to change names
Peter H
Election candidates' web pages hacked during Finnish election
Erka Koivunen
Re: Internet voting
Hamilton Richards
Address-form glitch proves an easy scam
Gabe Goldberg
Re: TV emits international distress signal
Steve Summit
Re: Is Windows up to snuff for running our world?
Atom 'Smasher'
Re: Do vendors read their own security policies?
Info on RISKS (comp.risks)

Some thoughts on the 2004 U.S. election process

<"Peter G. Neumann" <>>
Wed, 3 Nov 2004 18:21:20 PST

It is important to recognize that the election process is a long and arduous
one in which Election Day is just one highly visible manifestation.  The
integrity of our elections depends on almost every step along the way.  That
obviously includes the actual casting of ballots and the creation,
evaluation, certification, testing, and maintenance of voting equipment.
But it also includes the registration of voters; identification,
authentication, and challenging of voters; creation of the actual appearance
of ballots and setting up the voting machines; distribution and handling of
ballot and polling-place information, absentee ballots, and especially
provisional ballots; processing of ballots; tabulation and collection of
results; and proper assurance that voters' ballots are treated with adequate
respect for privacy -- along with oversight of each of the steps in the
entire process.

Historically, many past elections have encountered serious anomalies.  (See
my Illustrative Risks document, and click on Election
Problems; that summary of RISKS cases will eventually be upgraded to include
the most relevant of a large number of reported November 2004 anomalies.)
Yesterday's election reminds us once again that each of the steps in the
overall election process represents various potential weak links with
respect to security, system integrity, accountability, recountability,
privacy -- and, indeed, the democratic process.  For example, some exit
polls differed rather substantially from the actual results in some states.
However, in the absence of meaningful audit trails, it is impossible to
determine definitively whether this was the result of a lack of integrity
and accuracy in the exit polls or in the election systems themselves; a
voter's intent remains unknown in the absence of voter-verified audit trails
when using unauditable machines.  On the other hand, having to believe in
exit polls to evaluate whether the unauditable electronic machines were
accurate and noncompromised is also a ludicrous proposition.

When everything comes down to one state -- in it did again this year -- we
are left with unanswered and indeed unanswerable questions about the
integrity of the unauditable all-electronic machines in Ohio.  Among other
vendors, Diebold is known for numerous transgressions.  We have previously
noted here that in California in 2002, the software that was used by Diebold
in 17 counties was not the software that had been certified; the actual
versions in use were different.  In Georgia in 2002, Diebold's had
unmonitored dedicated lines into computer systems during the election
process (in case it was necessary to fix (!) problems).  (This is also true
of other vendors, and is apparently used to download software upgrades and
offload results.)  In Ohio in 2003, Diebold's CEO Wally O'Dell wrote to
would-be contributors that he is "committed to helping Ohio deliver its
electoral votes to the President next year."  Overall, the use of
unauditable machines is of particular concern when it is impossible to
determine the presence of bad software, human error, and intentional fraud
-- unless the anomalies are totally egregious, as in the case in Boone
County, Indiana, of 144,000 votes being recorded when only 5,352 people had
voted (RISKS-23.03) or where -16,022 votes were reported in Volusia County,
Florida (RISKS-22,93,94).  Of course, other voting machine companies are
also involved in many other irregularities, so Diebold is not the only
source of problems.

Returning to the notion that the voting problem is a total-system problem,
here are a few more issues.

* The federal election standards are inherently incomplete and extremely
  weak.  This is true of the 2002 standards that replaced the 1990
  standards, although most of the current systems were evaluated against
  the even weaker old standards.

* The evaluation process is normally secret, and funded by the voting
  machine purveyors themselves -- some of whose employees have felony
  conviction records or otherwise questionable backgrounds.

* Many state election officials are overtly partisan, some also serving in
  party positions (as in Ohio).

* The National Institute of Standards and Technology is supposed to be
  involved in setting standards, but its funding is grossly inadequate for
  this task.

* The U.S. Election Assistance Commission has also been seriously
  shortchanged in its funding.

* Legislation cannot reflect all of the possible things that can go wrong,
  but it is absolutely essential that nonpartisan actions and guidelines be
  as carefully and proactively constructed as possible.

* In the 2004 national election, it is already clear that numerous
  irregularities have occurred leading up to and during the election
  (including a variety of what might be called "dirty tricks"), some of
  which even appear to have been illegal.  For example, numerous efforts to
  disenfranchise or harass legitimate new voters were reported in various
  states.  Further complicating the need for a level playing field, there
  were many reports of long lines -- with some voters having to wait two
  hours or four hours to vote, and even a few who had to wait for 9.5 hours!
  The fact that some voters persevered despite such discouraging
  circumstances is truly amazing.

* There were also reports from New Orleans that all of the Sequoia machines
  throughout the city had failed (for example, could not be booted up), and
  that there were inadequate paper backups.

* Training of precinct workers is also a significant problem under confusing
  conditions, as was misinformation and a lack of standards regarding
  provisional ballots mandated by the Help America Vote Act.

* The Election Incident Reporting System ( is
  currently showing 29007 reported incidents (many of which were relatively
  minor, but the total of which suggests some real problems), with
  Pennsylvania, Florida, California, New York, and Ohio leading the pack in
  that order.

And I feel as if I have only scraped a little off the top of the iceberg.
Correcting all of these and other problems is not an easy task, and requires
objective approaches.  But the primary lesson from this election --
irrespective of the eventual outcome -- is that we still urgently need
meaningful election reforms.  It is not too early to do this for the future.

Touchscreen voting spawns glitches

<"NewsScan" <>>
Wed, 03 Nov 2004 09:52:25 -0700

U.S. voters across the country reported some 1,100 problems with e-voting
machines, bearing out scientists' concerns that touchscreen machines are
prone to tampering and unreliable unless they're equipped to print out paper
records for recounts. Some problems were blamed on factors as mundane as
power outages and incompetent poll workers, but there were a number of
voters in six states -- especially Democrats in Florida -- who said that
although they voted for John Kerry, when the computer asked them to verify
their choice, it indicated that they had voted for President Bush. One voter
in Clearwater reported that it took her about 10 tries and a quick
touchscreen clean-up with a wet-wipe towel before she could successfully
select Kerry. A spokesperson for Sequoia Voting Systems said the machines'
monitors may need to be recalibrated periodically to ensure the touchscreen
is sensitive enough to record users' votes.  [AP/ 3 Nov 2004;
NewsScan Daily, 3 Nov 2004]

Preferential voting software breaks down in San Francisco

<"Peter G. Neumann" <>>
Thu, 4 Nov 2004 10:07:12 PST

In the election of 2 Nov 2004, San Francisco's district supervisor election
used ranked-choice voting for the first time.  It went just fine on Tuesday
during the election.  Preliminary results showed candidates in three
districts had won by a majority (so no reranking is needed), whereas the
other four seats remained to be determined by the preferential ballot
counting process.  However, the computer processing broke down completely on
Wednesday afternoon when election workers began to merge the first, second,
and third choices into the program that is supposed to sequentially
eliminate low-vote candidates and redistribute voters' second and third
choices accordingly.  However, no San Francisco ballots were lost, because
each ballot has a paper trail.

The software is provided by ES&S (Election Systems and Software, in Omaha).
This system has undergone federal and state testing, as well as pre-election
testing in which everything seemed to work perfectly.  [No surprise to RISKS
readers there.]  The results of four contested supervisors' races are
expected to be delayed up to two weeks.  [Source: Suzanne Herel, *San
Francisco Chronicle*, 4 Nov 2004, front page continued on A7; PGN-ed]

Clocks set back a week too early

<Dave Stringer-Calvert <>>
Thu, 28 Oct 2004 19:20:13 -0700

Brussels has been "blamed" for bringing winter a week early to parts of the
country.  About 2,000 clocks on public buildings and railway stations across
the UK have gone back an hour seven days too soon.  An EU directive
dictating clocks should change on the last Sunday of October has been blamed
by clock makers.  Traditionally, clocks changed on the fourth Sunday of
October and most were pre-programmed to do so.  There are five Sundays in
October this year.  [...]  [Source: BBC News]

Nuclear Regulatory Commission lab info on Web

<"Dave Brunberg" <>>
Wed, 20 Oct 2004 08:46:35 -0400

Today's ( has
a story on floor plans, chemical lists, and other "sensitive" data on
licensed nuclear facilities in the U.S. being made available through the
Nuclear Regulatory Commission's web site.

The article discusses what types of information are available, and how it
may be useful to terrorists planning attacks against such facilities, or
raids to obtain radioactive material.  Interestingly enough, little is said
about why the information was up in the first place.  The reason is likely
regulations requiring disclosure of hazardous substances and publication of
floor plans for use in fire/rescue training and other safety-related

While most of us can agree that security through obscurity is a dead end,
the article's author seems mildly outraged and disbelieving that such
information would ever be publicly available.

However, it's nice to know that some people who are discussing physical
security understand the failures of security through obscurity: Money quote:

  "It [the Web site] may help a little, but if someone's determined to do
  this, it won't help them much. If someone wanted to find this out, they
  can," said David Albright of the Institute for Science and International

  "If secrecy is your only security, then you don't have it. Because
  everybody that has a brain knows that physics departments use radioactive
  sources ... and it's not that hard to find where they are," he said.

It's always a delicate balance, when you have to weigh government secrecy
against the public right to know what's going on in their government.  In my
mind, it's better to err on the side of public knowledge, while implementing
true security measures.  The alternative is to try to hide everything and
then have to explain to a few thousand people why their loved ones died in
an attack that could have been prevented by a security policy driven by the
assumption that the enemy can find out whatever they need.  The latter takes
more work, but it's more honest and more reliable.

David W. Brunberg, Engineering Supervisor, The F.B. Leopold Company, Inc.

Battlefield Robotics are risk to the world public

< (Edward G. Nilges)>
25 Oct 2004 21:03:51 -0700

No consideration appears to be given here by the John Deere corporation
(engaged enthusiastically in beating plowshares into high-tech swords) that
battlefield robots may represent the existing hazards of land mines to
children and others...raised to a power.

Dazzled by the glitter of the hardware and the apparent perfection of the
software in the showroom, we seem to systematically forget what happens to
old systems of this nature.

The unusable laptop, that boots up to a Blue Screen of Death and is too
expensive to repair, becomes closet clutter as does the desktop outdated by
the next big thing.

But what happens to military hardware, as is evident from the known problem
of unexploded ordnance (still a problem in northern France, almost a century
after the First World War), is much more serious.

It becomes an attractive nuisance for children growing up in former

A partially functional, unmanned and unaccounted for battlefield robot will
attract children, but since it is logically impossible to program these
pernicious things with Asimov's First Law (see below), its partially
corrupted software (corrupted by low power and environmental stress causing
memory losses, for example) may well interpret the random actions of
children as a threat...especially when the children play "war", as children
tend to do in real war zones.

Boom...and, as usual, nobody is responsible: the great good John Deere
corporation has moved on.

It is logically impossible to program these things with Asimov's First Law,
which was never to harm a human being. That's because their whole purpose is
to harm human beings.

Software people make mistakes, called bugs, all the time. Perhaps this
inures them to not admitting what may be The Grand Fallacy of software.

This is that one is not morally accountable for all phenomena of the
software system one has fabricated, including "unexpected" phenomena.  Of
course, an early lesson, learned and taught by hero computer scientist
Dijkstra, was that one was indeed responsible for outlier conditions.

We have been told that cruise missiles are pinpoint accurate even though
they have destroyed innocent lives. The destruction is explained away as
unusual combinations of circumstances or operators who in the heat of battle
misprogram the final parameters.

Trivially, there is no boundary between field modification of parameters,
whether of a cruise missile on board a naval vessel or behind the lines.

More important, it can be concluded that the seriousness of a final result
(a child's life destroyed) when considered as a number makes the final ratio
of our "input" to the magnitude of the crime something which has to be taken
into account.

Of course, for this reason, many software and hardware engineers simply
avoid defense work. But one hopes that the military types write all their
own goddamn software all the way down so that Open Source coders are not
indirectly responsible.

There is some fantasy that if we put enough steps between our actions and a
final result, the amplitude of the moral signal, the level of our guilt, is
attenuated and not amplified into a cry to heaven.

But September 11 may have brought home to many Americans that other people
do not feel the same way. Other people, if we implement battlefield robotics
and after the battle they are running amuck, will ask us why we constructed
such cowardly and unnecessary devices.

Spyware epidemic threatens to stall computer industry

<"NewsScan" <>>
Mon, 01 Nov 2004 10:08:46 -0700

Computer makers say that their technical support lines are lit up by
consumers frustrated over sluggish performance and increasingly they're
tracing the problems back to one culprit: spyware. Companies are concerned
about the cost of the calls, but they're even more worried that that
customers will wrongly blame them for performance deficiencies. Russ Cooper,
senior scientist with TruSecure Corp., says now that spyware has become
epidemic, it's time for Microsoft and other technology companies to launch a
public education campaign along the lines of the old "Only *you* can prevent
forest fires" concept. The industry's incentive is pure survival, says
Cooper. Microsoft officials blame rogue software for up to a third of
applications crashes on Windows XP computers and AOL estimates that just
three such programs together cause about 300,000 Internet disconnections per
day. Forrester Research analyst Jonathan Penn says spyware-related customer
support can cost $15 to $45 per phone call, but it's worth it. "Security is
a component of loyalty. People, they want all these various services, but
they expect security to come with it."  [AP, 31 Oct 2004; NewsScan Daily, 1
Nov 2004]

Swedish Hospital forces persons to change names

<Peter H <>>
Fri, 29 Oct 2004 20:27:52 +0200 (CEST)

Swedish hospital forces users to change their officially registered name!

According to an article in "Computer Sweden" (29 oct 2004) the users at
karolinska university hospital have adopted a rigorous naming-scheme, that
uses *only* a person's name with spelling and order as existing in official
population register.  Bad, you think?  Well it is even worse; many people
has several given names, among which most persons pick one and use it for
everyday life. But this hospital's administrators refuse to use the chosen
name, instead insisting on using the first given name + surename as e-mail

Reason? "It's about making sure it's the right person logging in and it's
also important with law and order."

For those unhappy souls not recognizing their names, the IT department has
ready-made forms for changing the official population register (which costs
money in sweden, something the unhappy souls is not reimbursed for).

The article does not mention that some persons still has to use other
combinations, there is two cases where the "dream-scheme" does not work (not
even in sweden):

  (1) for the duplicates (or do they refuse employment for these??)
  (2) for the persons christened to names containing non-ascii characters.

Orwell, you are way behind !

Election candidates' web pages hacked during Finnish election

<"Erka Koivunen" <>>
Thu, 28 Oct 2004 09:07:55 +0300

The web pages of two candidates from the Finnish National Coalition Party
were hacked last Thursday, just three days before the Finnish municipal
elections.  The pages were a part of a public service provided by Finnish
Broadcasting Company YLE. The candidates were supposed to type in their
answers along with opinions for predefined multiple-choice questions. In
turn, the citizens could compare the candidates' answers against their own
preferences. The service has grown to be quite popular during the latest
Finnish elections - at least I found my candidate by using the service!

According to YLE's project manager Erkki Vihtonen, somebody had gotten hold
of the party's passwords and used a PC in a public library to log in and
type in bogus answers for two candidates who hadn't completed the
questionnaire. The material was distinctively racist and sexist.

The webmasters were finally notified on the eve of the election by a tip
from the public and bogus answers were removed. The police is currently
investigating the suspected crime.

The service contained information about 16,000 candidates and it was visited
250,000 times before the election. No information about hits to the bogus
pages was released. According to Mr. Vihtonen, they have "7,000 suspects".

For the record: the two candidates - one in Helsinki, the other in Kemi -
didn't win.

Link to the original news story, dated 2004-10-27 (only in Finnish): +358-50-5066317

Re: Internet voting (Stevens, RISKS-23.57)

<Hamilton Richards <>>
Wed, 27 Oct 2004 14:24:12 -0500

PGN's comment on a couple of proposals to stage Internet-election hacking
contests --

   [I continue to be amazed that folks persist on focusing only
    on the risks of penetrations by outsiders.  Insiders are by
    far the greatest concern here.  PGN]

-- is well-taken as it applies to all software that's involved in ballot
counting, but Internet voting is a nonstarter for reasons that are more

The problem is that Internet voting compromises the secret ballot's
secrecy.  Although it's often assumed that ballot secrecy is a matter of
individual privacy, it's more than that. Ballot secrecy benefits not only
the individual voter whose ballot is secret, but all other citizens, who can
be sure that their fellow citizens can't be bribed or coerced into voting
contrary to their true preferences. The voter is alone in the voting booth,
and takes away nothing that she could use to prove how she voted.

Now picture a voter casting his ballot, via the Internet, from the comfort
and convenience of his home or office. How do we know that his employer, or
a party official with pockets full of cash, is not watching over his

It's true that absentee ballots have already opened this door a crack, but
that's no reason to throw it open wide.

Hamilton Richards, Senior Lecturer, Dept. of Computer Sciences, UT Austin

  [... not to mention that you have to trust everything along the way.  PGN]

Address-form glitch proves an easy scam

<Gabe Goldberg <>>
Mon, 25 Oct 2004 22:07:27 -0400 (EDT)

Credit-card thieves find sneaky way to beat fraud checks

  It's a harmless-looking part of every a Web site retailer's checkout page.
  The form filled out by customers ordering products almost always has a
  second line -- sometimes it's used for apartment numbers or other
  information; it's usually left blank.  But that innocuous-looking second
  line could become a big headache for Internet merchants soon, says one
  fraud expert.  Credit card criminals have figured out a simple way to use
  that second line to foil the most basic anti-fraud measures online
  merchants use.  [...]  Designed long ago, most address verification
  systems only check numerical values at the beginning of the address and
  zip code fields in the billing address form.  Letters, such as street
  names and cities, are ignored.  That means if the legitimate address is
  123 Elmwood Street, and a criminal enters "123 XXTRTWW," the fraud
  software will return a "yes" value, indicating the address is valid.  [...]

This is of course not a "glitch", it's people specifying, designing, coding,
approving, and *continuing to use* a system in which "letters, such as
street names and cities, are ignored". And then being all shook up when
something bad happens.

Gabriel Goldberg, Computers and Publishing, Inc., 6580 Bermuda Green Court,
Alexandria, VA 22312-3103  1-703-941-1657

Re: TV emits international distress signal (Hogsett, RISKS-23.57)

<Steve Summit <>>
Fri, 29 Oct 2004 20:00:06 -0400

Mike Hogsett wrote about a flat-screen TV in Corvallis, Oregon, that
inadvertently summoned a search-and-rescue operation.

I just heard a similar story about the Civil Air Patrol in New York.
Evidently they get repeated calls which can be traced to a United Parcel
Service depot in the Bronx.  Now, it turns out that a company that makes
Emergency Locator Transmitters is serviced out of that UPS depot, and these
ELTs are often returned via UPS for repair.  But sometimes the boxes get
dropped, at which point the supposedly malfunctioning ELT inside senses the
high-G impact of a "crash" and starts to transmit.

And then there's the story (perhaps an urban legend) about people mailing
supposedly-defective electronic toll tokens back to the issuing highway
authority, and being billed for the tollbooths the mail truck passed

Re: Is Windows up to snuff for running our world? (Smith, R-23.57)

<"Atom 'Smasher'" <>>
Wed, 27 Oct 2004 01:02:18 -0400 (EDT)

About a week ago i stopped by a local bank to cash a check and their windows
computers where all down. they had no way to determine if the account had
sufficient funds to cash the check. when i asked how often the system went
down, they replied "once or twice a day" for 10-20 minutes.

They have a computer system that spends 10-40 minutes of every workday
taking a siesta!

Apparently they knew the owner of the account that i was cashing the check
from, and determined that he never writes bad checks so it should be OK to
give me the money and sort it out later. hhmmm... might there be a risk of
someone trying to cash a bad check during a hectic time?

related link - Is Microsoft Licensing Forcing Banks to Break The Law?

Re: Do vendors read their own security policies?

26 Oct 2004 23:26:02 GMT

I have the same problem with Fidelity Investments. Their official website is
at Yet in spite of having the problem pointed out
to them they continue to send email that directs the recipient to various
pages at, such as

The domain '' is owned by Digital Impact in San Mateo. There is no way
on the face of it to know that this is legitimate. For some reason they
don't think it's a problem. The risk, of course, is that users won't be able
to recognize a phishing attempt by the URL.

Please report problems with the web pages to the maintainer