The RISKS Digest
Volume 23 Issue 8

Monday, 22nd December 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Railroad accident results from deactivated crossing gates
Chats led to Acxiom hacker bust
Kevin Poulsen via Monty Solomon
Moderation and Immoderation
Re: Tragedy of the Commons
Douglas W. Jones
Re: Proper Understanding of the Human Factor
Peter B. Ladkin
Poor writing is the problem, not PowerPoint
Simson L. Garfinkel
Why have electronic voting machines at all?
Finn Poschmann
Sander Tekelenburg
CFP: CyberCrime and Digital Law Enforcement Conference, Mar 2004
Michel E. Kabay
Info on RISKS (comp.risks)

Railroad accident results from deactivated crossing gates

<"Peter G. Neumann" <>>
Mon, 22 Dec 2003 14:56:11 PST

An upgrade to the Caltrain guarded crossing system was designed by SRI many
years ago, and has been very effective at diminishing road-rage by
re-opening up the forward gates when trains are stopped in the station.  For
the past few years, the Caltrain folks have been upgrading the tracks,
adding sidings to enable high-speed trains to pass.  To do so, they have
shut down passenger service altogether on weekends, turning off the crossing
controls.  However, the rails have been used to move the needed construction
materials (roadbed, ties, rails, etc.), with flagmen posted as needed.
However, at 11:30pm on Sunday, 14 Dec 2003, just a few blocks from SRI in
Menlo Park, a truck struck a slow-moving train already 3/4 of the way
through the crossing.  Why this happened was not known.
  [Source: *San Jose Mercury News* (Peninsula Edition), 16 Dec 2003, page 3B.]

Chats led to Acxiom hacker bust

<Monty Solomon <>>
Mon, 22 Dec 2003 00:26:43 -0500

Kevin Poulsen, SecurityFocus, 19 Dec 2003

A Cincinnati man who plead guilty Thursday to cracking and cloning giant
consumer databases was only caught because he helped out a friend in the
hacker community.  Daniel Baas, 25, plead guilty on 18 Dec 2003 to a single
federal felony count of "exceeding authorized access" to a protected
computer for using a cracked password to penetrate the systems of
Arkansas-based Acxiom Corporation — a company known among privacy advocates
for its massive collection and sale of consumer data. The company also
analyzes in-house consumer databases for a variety of companies.

From October 2000 until June 2003, Baas worked as the system administrator
at the Market Intelligence Group, a Cincinnati data mining company that was
performing work for Acxiom. As part of his job, he had legitimate access to
an Acxiom FTP server. At some point, while poking around on that server, he
found an unprotected file containing encrypted passwords.

Some of those passwords proved vulnerable to a run-of-the-mill password
cracking program, and one of them, "packers," gave Baas access to all of the
accounts used by Acxiom customers — credit card companies, banks, phone
companies, and other enterprises — to access or manage consumer data stored
by Acxiom. He began copying the databases in bulk, and burning them onto
CDs.  ...

Moderation and Immoderation

<"Peter G. Neumann" <>>
Mon, 22 Dec 2003 14:44:13 PST

Your RISKS moderator is absolutely mortified.  After my silly OMITTED MINUS
ONE gaffe in RISKS-23.06 in the Mersenne prime item, I compounded it in
RISKS-23.07.  (Thanks to all of you who responded.)  I started out having
typed P>=1 and did not like how it looked, and meant to change it to P>0.
Somehow I forgot to do so.  In trying to keep many balls in the air at once,
I unfortunately sometimes have to squeeze RISKS moderation in between
handling the other balls.  Having a ball sometimes becomes Halving a ball.

The "notsp" Subject line experiment has been a tremendous help in allowing
me to separate the wheat from the chaff.  Thanks to those of you who picked
up on it.  (I continue to get over 1000 spams a day that are caught by
SpamAssassin, and many more that are not.)  Nevertheless, I regret that I
cannot put out more issues and include more of your would-be postings.  On
the other hand, if we had more RISKS issues, I would have to do with even
more responses, and you all would have even more e-mail to read as well, so
perhaps you should be happy I cannot devote more time to moderating.  So
moderation in moderating may be a good thing after all.

Incidentally, for those of you who have stumbled onto some of the annoying
Majordomo glitches, I anticipate that RISKS will eventually be cutting over
to Mailman — which my lab is already using experimentally on other lists.

Let me take this opportunity to wish you all a risk-free holiday season.  PGN

Re: Tragedy of the Commons (Norman, RISKS-23.07)

<"Douglas W. Jones" <>>
Thu, 18 Dec 2003 19:03:48 -0600

*Science Magazine*, 12 Dec. 2003, Vol 302, No 5652, has a set of articles on
the Tragedy of the Commons, one of which is very relevant to us.

   Tales from a Troubled Marriage:
   Science and Law in Environmental Policy
   by Oliver Houck, Pages 1926 to 1929

The section of this article that is most relevant to us is entitled: Four
Cautionary Tales.  There, he talks about how science has come to be used and
abused in public policy debates surrounding environmental issues, but we're
involved in a different public policy debate, and science is being used and
abused here too.  The 4 examples are:

"The lure of a return to scientific management" should be viewed with
suspicion.  There are attractive and rational arguments that favor
iterative, impact based and localized management strategies instead of
"unrealistic" one-size-fits-all policies.  Several people spoke in these
terms at the NIST meeting on voting systems Dec 10 and 11, urging
incrementalism and arguing against top-down approaches that attempted to
look at the big picture and overall system architecture.

"Good science" and "peer review" are sometimes invoked to set extremely high
standards for the admissibility of scientific arguments that favor any
change in current policy, but it is unusual to find such standards applied
to the arguments favoring retention of the status quo.  The head of the CS
department at Kennesaw State cornered me recently using this argument
against the Hopkins report on security flaws in Diebold's voting systems,
despite the fact that the SAIC report had already come out confirming most
of the flaws first reported in the Hopkins report; as far as he was
concerned, the fact that the Hopkins report had not been subject to
prepublication peer review was grounds for censure.

"The lure of money" has biased science.  There are good studies of this in
the health care field as well as the environmental field.  Researchers with
industrial funds are less likely to publish results that reflect negatively
on their source of funds.  Who is supporting the different scientists who
have engaged in the voting systems debate?  We ought to be very open about
this.  The conflict of interest stories that popped up after the release of
the Hopkins report touch on this issue, illustrating the extent to which
bogus conflicts can be as important here as real ones.

"The lure of the safe life" has led researchers to avoid drawing
conclusions.  We can do good science, confining ourselves to the technical
and avoiding drawing conclusions that would engage us in public policy
debate.  Many of those on this list have elected to forgo this option, but
many of our colleagues may be more reluctant to participate.  This is
unfortunate and I think we need regular reminders.  When outrageous claims
are made for what computer science can do, or when utterly incompetent
security audits are brought forward into the public debate, those who have
technical qualifications should not stand by idly.

Re: Proper Understanding of the Human Factor (Norman, RISKS-23.07)

<"Peter B. Ladkin" <>>
Sat, 20 Dec 2003 09:37:34 +0100

In his argument for the view of Mike Smith (RISKS-23.04) and against that
suggested by Dave Brunberg (RISKS-23.06) on Vicente's book The Human Factor,
Don Norman invites us to consider two points of view on systems failure in
which human operators are involved.

He suggests that 75% of accidents with such systems are blamed on operator
error (in aviation, the generally-aired figure says accident reports
attribute probable cause to pilot error in 70% of cases), and that the cause
should be taken to lie rather in the system design which affords those kinds
of errors. He points out that this view has been around for some half a

The other view is that of Brunberg, who gives hypothetical examples of the
"Bubba factor", according to which operators engage in typically human but,
in terms of their professional skills and requirements, inappropriate
behavior when operating a system.

Norman, prefers the first view. For example, it is a part of critical system
design that hazards (defined as situations in which certain unwanted events,
including accidents, are particularly afforded in some way or another) must
be identified, and avoided or mitigated as far as possible.

The classic statement of the "Bubba factor" position is a comment made in
1949 by Edsel Murphy, an engineer on the USAF project MX191: Human
Deceleration Tests, after observing some incorrect wiring that had led to
failure of measuring equipment. If there was a way for one of the
technicians to make a mistake, observed Murphy, that would be the way things
would be done. Murphy's Law, as its successor has come to be known, is also
half a century old [1].

So, Norman or Bubba?

I believe with Norman that more attention could be paid to the system
affordances that encourage inappropriate operator actions or inactions. I
also suspect that the operator's cognitive state is systematically
underemphasised in most accident investigations, and consider proof of this
claim to be a significant research project.  Some progress has been
made. Let me give four examples, based on a particular conception of human
cognitive capabilities.

There are ways of defining an operator's "rational cognitive state" which do
not depend on reconstructing hisher mental state, namely by looking at the
information presented to the operator by the system and closing under simple
inferences. This idea derives from (and may even be identical with) the
"information theoretic" view proposed by Norman himself. One may consider
such a state to be that of an ideal operator, and thereby somewhat
unrealistic, but it suffices to highlight, in some significant cases, how a
system afforded operator error.

Consider the "Oops" series of aircraft-simulator runs, in which researchers
at NASA Ames Research Center set up scenarios for pilots of an MD-80-series
flight simulator. The pilots were led to "bust" (fly through) their cleared
altitude on climb. John Rushby has published what I consider to be a seminal
paper, in which he used the Mur(phi) model checker to demonstrate that the
pilot's "mental model" (what I called above the rational cognitive state)
did not match the system state at a crucial point in the proceedings [1]. In
other words, crucial information about the system was not presented to its
operator. This is therefore a case in which the only prophylaxis is to
design out the hazard situation. It amounts to a canonical example of
Norman's contention.

Sidney Dekker gave the Tuesday Luncheon talk at the 21st International
System Safety Conference in Ottawa in August 2003, in which he showed a
series of still photographs of the views available to the pilots of a
Singapore Airlines B747-400, which attempted to take off from a closed
runway in Taipei and collided with construction equipment.  The accident was
widely discussed in commercial aviation circles, particularly with respect
to the ground guidance technology at the airport and the judicial treatment
of the crew. Sidney's sequence of photographs gave me the impression that I
would have made similar decisions in those circumstances to those which led
to the accident (I am a pilot, though not a professional). This view had
been promoted by some discussants since the accident, and I believe it is to
be credited with keeping the crew out of jail.

A similar case of "seeing what the operator saw" is made by the series of
photographs shown by Marcus Mandelartz of the signalling en route to the
train derailment at Brühl in the Rhineland in Germany, in which a driver of
an intercity train went through a switching points at something over three
times the appropriate speed [3].

Finally, I have argued that the decision by the Russian pilot of one of the
aircraft that collided over Lake Constance in July 2002 to descend in
contravention of his ACAS "climb" advisory could well have been rational,
given his "rational cognitive state" as defined above [4]. I also pointed
out that all participants in that unfortunate affair, the two crews and the
air traffic controller, had distinct "rational cognitive states", a
situation engendered by a cognitive slip by ATC. I believe this situation
has been woefully incompletely analysed from the point of view of the ACAS
system. To me, the situation represents a hazard that must be designed out
or mitigated, as with any such system hazard. This view contrasts with that
of, say, Eurocontrol, which advises that ACAS "resolution advisories" (RA)
should be followed by pilots without exception, also a view propounded by
many pilots. A more cautious view is expressed by the International Civil
Aviation Organisation (ICAO), which advises that pilots should not manoeuvre
against an RA, and an even more cautious view has been expressed by the UK
Civil Air Authority, which advises that pilots should not manoeuvre against
an RA without overwhelming reason. I believe the crew of the Russian
aircraft had such reason, as shown by considering the "rational cognitive
state" (I emphasise that the "rational cognitive state" is not to be
identified with the actual mental state of the pilots, which we can no
longer know). If so, only the UK CAA view is consistent with focusing on the
system, and not the operator. This appears to me also to be a canonical
example to which Norman's view applies.

All this argues for Norman's view. What is there to argue for Brunberg's?

Consider the following crude but general argument for the Bubba phenomenon.
Operators have responsibilities. They are intended to perceive certain
partial system states and to devise actions which depend on those partial
states. These actions are stipulated by procedures. In the case of some
systems, pilots flying airplanes for example, some of these actions and
their consequences are unavoidably safety-critical. Human beings may freely
choose their actions, and it is open to an operator of even the most
carefully designed system, in such a situation, to choose an action which
will lead to an unwanted event such as an accident.

One may contravene such an argument in commercial aviation only by
advocating pilotless commercial aircraft, a prospect that fills not only
some passengers but also some systems people like myself with dread.

To illustrate the situation which the argument highlights, consider an
accident in November 2000 to a Luxair Fokker 50 turboprop on approach to
Luxembourg Findel airport. The aircraft was on final approach using the
ILS. The crew selected "ground fine-pitch" on the propellors while still
airborne. This "low-speed fine-pitch regime [is] normally only usable on the
ground" [5]. Control was lost, the aircraft crashed on approach, and most on
board died.

An interlock prevents ground fine-pitch mode from being selected while the
aircraft is airborne: power lever movement into this regime is
inhibited. However, there was a known interlock failure mode in which the
interlock does not function for some 16 seconds after the landing gear has
locked down. A Notice to Operators concerning this phenomenon had been
issued, and a system fix for this problem was available but had not been
incorporated on the accident aircraft [5].

Activating ground fine-pitch while airborne is obviously a big no-no.
The big question is why this regime may have been selected. The report
has recently been issued [6]. It criticises the crew. "The captain put
the power levers into the beta range while trying to regain the glidepath
from above after beginning a go-around due to poor visibility, and then
reversing his decision - all without communicating with the first officer.
He had earlier begun what should have been a Category II [ILS] approach
without informing his colleague" [6]. The accident report says: "All
applicable procedures as laid down in the operations manual were violated
at some stage of the approach" [6]. All this raises red flags to just about
everyone involved with flight.

The report "extensively questions the airline's hiring and training
practices" as well as noting that the "design [of the aircraft] did not
prevent the crew from selecting ground-idle while in flight - the final
error in a chain that led to the crash" [6].

The question. Norman or Bubba?, is ill-posed. Both Brunberg and Norman
overstate their cases. As Norman says, people are still too ready to fault
operators, even after 50 years. But operators must be allowed their free
will, otherwise one doesn't need an operator. It is open to operators
to freely choose wrongly, even catastrophically. And it happens.



[1] John Rushby, Using Model Checking to Help Discover Mode Confusions and
Other Automation Surprises, in Reliability Engineering and System Safety
75(2):167-77, February 2002, also available from

[2] Robert A.J. Matthews, The Science of Murphy's Law, in Peter Day, ed.,
Killers in the Brain, Oxford U.P. 1999.

[3] Marcus A. Mandelartz, Das Zugunglück in Brühl aus der
Lokführerperspektive (The Train Accident in Brühl from the Perspective
of the Driver), in German,

[4] Peter B. Ladkin, ACAS and the South German Midair, Technical Note
RVS-Occ-02-02, available from

[5] David Learmount, Propellors yield Lusair crash clue, Flight
International, 26 November - 2 December 2002, p8.

[6] Kieran Daly, Luxair crew slammed in crash report, Flight International,
16-22 December 2003, p6.

Peter B. Ladkin  University of Bielefeld,

Poor writing is the problem, not PowerPoint (Re: RISKS-23.07)

<"Simson L. Garfinkel" <>>
Fri, 19 Dec 2003 11:47:02 -0500

Re: Over-reliance on PowerPoint leads to simplistic thinking

Having read about this in the report and some coverage in eWeek and
ComputerWorld, I need to argue that the real problem is not PowerPoint (as
much as I dislike the program) --- the problem is that many engineers are
simply poor verbal communicators.

> Because only about 40 words fit on each slide, a viewer can zip through a
> series of slides quickly, spending barely 8 seconds on each one.

This seems like poor rationalization. Here's what you can do with 40 words:


(hm; that's just six words.)

	* Falling foam has been clocked at faster than 500 mph
	* Impact with wing could destroy fragile ceramic tiles on launch
	* Repair not possible in space; shuttle would burn-up on re-entry

(that's another 30 words; total word count is 36)

I just finished a semester of paper grading in a class at MIT. Many of the
students were really angry that I took off points for poor writing, improper
citations, etc.  "This is a class in computer security, not writing," one
student told me (paraphrased).

I wrote a long e-mail back to that student that without the ability to write
clearly, their security skills would be of little use.

Why have electronic voting machines at all? (RISKS-23.06,07)

<"Finn Poschmann" <>>
Fri, 19 Dec 2003 15:42:20 -0500

Russell Cooper (RISKS-23.07) says that to raise voter turnout when people
are broadly distributed, reducing the need for travel to a polling station
is "highly desired" and a compelling reason for e-voting, and that this
desired benefit is being neglected in common discussion.

In fact, in the e-government world, which is populated by hordes of
promoters of e-democracy and e-everything else, there is much attention paid
to the benefits of making voting easier. (Too much? I might note
parenthetically that we should probably ask ourselves if we really want
disinterested people to vote more often, but that would be a distraction.)
In the endless rounds of worldwide conferences and discussion papers on
e-governance and the "democracy deficit," what there is not enough of is
attention to risks and costs.

We have difficulty in practice getting close to a verifiably accurate
polling station implementation of e-voting, though as Rebecca Mercuri will
tell you it is surely possible to do so. The risks and costs multiply when
we contemplate e-voting from home.

Of course we can get *close enough* to an acceptably accurate and verifiable
home-based system; after all, we use similar systems in financial
transactions representing many billions of dollars daily. Encryption and
tunnelling protocols can be powerful tools.

Observations: 1) *Close enough* is nonetheless a long way off, owing to
technical requirements and the concomitant need to raise voters' comfort and
skill levels. 2) It will be expensive owing to equipment needs on both ends,
where that equipment would not otherwise be necessary. 3) It will be
intrusive. I should think we would want to know, while you hold your eye to
the scanner and your finger on the pad sensor, that your true voting wish is
being expressed. And what to do about the possibility that someone is paying
you and watching your vote, or holding a gun to your head? I don't know the
answer to that one, just as I don't know now why some US states have so
enthusiastically adopted the mail-in ballot.

In any case, the costs of achieving a reasonably fair and verifiable
e-vote-from-home are certainly large. What were the benefits again?

  [Remember, as other contributors have, that Internet voting and other
  remote voting schemes all suffer from the ability to sell your vote --
  along with all of the other problems of whom and what can you trust.  PGN]

Re: Why have electronic voting machines at all? (Cooper, RISKS-23.06)

<Sander Tekelenburg <>>
Fri, 19 Dec 2003 08:41:53 +0100

[I may have missed a step in this thread, but the original subject seems to
have been electronic voting machines vs paper voting. Somehow it moved to
voting from the comfort of the home, which I think should be treated as a
different subject.]

Wed, 10 Dec 2003 05:09:05 -0500, "Russ" <> wrote:

> Maybe I missed the comment, but it seems to me that one of the most
> compelling reasons for e-voting, getting more people out to vote, is being
> missed in these threads. Maybe voter turnout in the States is always >50%,
> it isn't here (Canada).

Technological security issues aside, it would mean giving up on secret
voting. Not something to take lightly. Voting from the privacy of your home
would make it even easier for people to force each other to vote for
candidate x than the 'regular' abuse within the sacrecy of the home that's
already happening on a grand scale. A public voting station, with secret
voting, avoids that RISK.

While discussing the issues with electronic voting machines, and the
suggestion that a paper trail would fix most of that, I ran into this. Some
people seem to present that paper trail as a receipt: the voter gets to take
it with her. That would mean people can force each other to prove they voted
for the candidate they were told to vote for. Dangerous. A paper trail is
necessary (thus indeed: why electronic voting at all?), but it should not
break secret voting.

  [Almost all of the sensible proposals for voter-verified paper trails
  retain the paper within the system.  Voters do not take them home.
  However, David Chaum's proposal is somewhat different, allowing you to
  take a part of the audit trail with you from which you can verify your
  vote was correctly recorded.]

> I fail to see how anything else could be as likely to increase voter
> participation.

If voter's can't be bothered to go to a voting station, maybe it's healthier
for society to leave it at that. You don't want utterly uninformed voters to
vote, just for the sake of voting. You'll just get more votes for whoever
happens to have the most likeable TV-face of the day... (No doubt some
politicians see that too and are therefore in favour of e-voting...)

It would be nice to see more people participate. But I'm not sure what would
be the way to make that happen. No doubt the causes and solutions will differ
per country. In some countries better and more easily accessible education
might help. But in countries that already have that you see many people still
not voting. Sometimes as a (misguided) way of protest, sometimes because they
think their one vote won't make a difference, sometimes because they feel
things are fine as they are.

> [...] in a country such as ours where people are broadly distributed,
> reducing the need for people to go to a polling station is highly desired.

Yes, different countries may need different solutions. In the (compared to
Canada ;)) utterly overcrowded Netherlands a stroll to a voting station
usually takes no more than 5 minutes. If that's too much work, then don't
vote - and lose your right to complain about the government.

(In Dutch national elections turnout is around 70% on average I think. For
EU elections it is something like 40% or even just 30%.)

Sander Tekelenburg, <>

CFP: CyberCrime and Digital Law Enforcement Conference, Mar 2004

<"Michel E. Kabay" <>>
Thu, 18 Dec 2003 14:57:15 -0500

Yale Law School's Information Society Project (ISP) invites you to the
CyberCrime and Digital Law Enforcement conference, taking place on March
26-28, 2004 at Yale Law School.

Registration and further information are available at:

Nimrod Kozlovski, Fellow, Information Society Project, Yale Law School

Please report problems with the web pages to the maintainer