The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 10

Weds 23 November 2005


Voting glitches from the 7 Nov 2005 Election
Joseph Lorenzo Hall
Mode error leads to recall of medical device
Richard I Cook
When switching to backup systems is too costly
Alan Powell
In-car GPS navigation - when it causes an accident
Mike Scott
Bank Shares Suspended After Annual Results Released Early
David Shaw
They needed a real firewall!
Jeremy Epstein
UNH alumni directory misreports 500 deaths
via Monty Solomon
"Chip and PIN" - whose goods are you paying for?
Andrew Law
More Excel risks
Patrick O'Beirne
Irony in certificate-land
Jeremy Epstein
Risks of applying to law school
Tony Lima
Producing Error-Free Software is Hard
J H Haynes
US Military removes Word documents from the Web?
Diomidis Spinellis
Info on RISKS (comp.risks)

Voting glitches from the 7 Nov 2005 Election

<Joseph Lorenzo Hall <>>
Tue, 15 Nov 2005 14:12:42 -0800

(The full list is here:

Here are some quick summaries of a few very interesting voting glitches that
we saw last week. (Listed in order of interest to me.)

[San Joaquin County, California - S.J. County has election night deja vu][1]

San Joaquin County workers misplaced a memory cartridge for an optical-scan
machine. They rescanned the ballots and but haven't found the cartridge. In
this story, an official says that the new Diebold TSx DREs that they want to
use will make things work more smoothly... although the official doesn't
recognize that misplacing the memory cartridge in a paperless DRE would not
be as easily recoverable (although I believe you'd still have the ballot
images resident in memory, no?).

[Cumberland County, Pennsylvania - Software error forces recount in close
race for district judge][2]

Two candidates in a race were both mistakenly listed as being from same
party. Straight-ticket votes counted both candidates and initially resulted
in over-votes. After this was corrected for, the race was down to a 2-vote
margin (1703 to 1701 votes). Also see: ["Ballots counted again in judge

[Harwinton, Connecticut - Voting machine snafu may lead to challenge in

One candidate was endorsed in a race by both Republican and Democratic
parties and was listed twice in a choose 2 out of 3 race. This candidate,
due to being listed twice, got twice as many votes as the other two
candidates in the same contest.

[Pasquotank Co., North Carolina - In Elizabeth City, a 14-vote gap has one
candidate calling for a recount][5]

Selecting a certain candidate in the only contest on the ballot resulted in
a write-in candidate box being selected instead. The margin in this race was
14 votes. Also, 60 blank ballots were cast (recall that there was only one
race for this election). Also see: ["Count on recount in E. City mayor's

[Lucas Co., Ohio - State plans to investigate voting chaos; Tuesday's
problems are latest for Lucas County][7]

This one is mysterious: "workers accidentally 'set an option [on the five
machines] that prevented the results from being transported onto the memory
card.'" Also, massive labor shortage resulted in chaos as election was
highly understaffed and a system of "rovers" didn't function correctly
(where one elections worker would travel to five polling places to get
aggregate totals from machines). Also, see: ["Poll workers blast use of

[Montgomery County, Ohio - Vote count goes all night][9]

Various problems resulted in having to download votes from 2000 memory cards
instead of from one card each from the 548 precincts. However, during this
process, 186 memory cards were found to be missing. After looking through
bags of precinct materials ("I voted" stickers, signs, etc.) they had found
171 cards. The remaining 15 cards were only found after rousing pollworkers
from bed at 3 am so they could return to the polling place to get the cards
either left in machines or lying around the polling place.

[Wichita County, Texas - Human errors hamper voting][10]

35 precincts neglect to perform zeroing out process before election. This
resulted in the vote data being impossible to download from the DRE (ES&S)
with PEB device. ES&S technicians were able to open the machines, remove the
removable memory cards and read the data from there.

[Montgomery County, Ohio - 'Human error' creates doubt about failed vote in

77 "phantom votes" found to have been cast in an election where a bond
measure was defeated by a margin of 146 to 79. ("Phantom votes" are when
there are more votes counted than there are registered voters that could
have cast votes) In this case, there were only 148 registered voters that
could have cast votes in this race.


Joseph Lorenzo Hall, PhD Student, UC Berkeley, School of Information (SIMS)

Mode error leads to recall of medical device

<Richard I Cook <>>
Fri, 28 Oct 2005 07:05:28 -0500

The U.S. Food and Drug Administration Medwatch program has issued a warning
based on the possibility of mode error that can lead diabetics to misread
their home glucose monitor. The FDA's Medwatch program, which issued the
warning, receives user and facility reports of problems with medical
devices. The device provides glucose values in either American or European
standard units (mg/dl of mmol/liter) based on setting in the device. That
setting may be changed when users are trying to set the date or time fields
in the device. The FDA News also notes reports that the setting may change
when the meter is dropped or its battery is changed.

The devices involved, a set of Abbott blood glucose monitors used by
diabetics for home glucose monitoring, have not been recalled by the
manufacturer. Abbott issued a press release on October 14, 2005
acknowledging the fault and is undertaking "a worldwide correction and
notification to all healthcare professionals and users, when known, about
the measurement switching problem" according to the FDA announcement.

Abbott manufactures the devices for resale under a variety of brand
names. The U.S. brand names involved include FreeStyle, FreeStyle Flash,
FreeStyle Tracker, Precision Xtra, MediSense, Sof-Tact, Precision Sof-Tact,
MediSense, Optium, and private label brands ReliOn Ultima, Rite Aid, and
Kroger blood glucose meters. Precision Sof-Tact meters, which were
inadvertently omitted from Abbott's press release, are also included.
Outside the U.S. the involved brand names are Xceed, Liberty, Boots, Xtra
Classic, Easy, and SofTrac. These products are distributed primarily through
retail and mail order pharmacies and physicians' offices.

Problems with blood glucose meters are not uncommon. Earlier this year
Lifescan Inc, a subsidiary of Johnson & Johnson, issued a Class I Recall
notice for its OneTouch SureStep blood glucose meter because of reports of
failure of some segments of its LCD display that could lead users to believe
that their glucose was normal when it was actually dangerously high. Class I
recalls are "for dangerous or defective products that predictably could
cause serious health problems or death. Examples of products that could fall
into this category are a food found to contain botulinal toxin, food with
undeclared allergens, a label mix-up on a life saving drug, or a defective
artificial heart valve."

Mode errors are among the more common forms of human-computer interaction
problems. A classic paper on mode errors in the cockpit is "How in the world
did I ever get into that mode?: Mode error and awareness in supervisory
control" (Sarter, ND and D Woods, Human Factors 37, 5-19). Mode errors are a
common problems with medical devices, especially relating to units of
measurement. An example is shown at Such
problems are usually treated by manufacturers as a type of operator error
and are usually incredulous regarding the contribution of device design to
mode error.  Glucose meters are ubiquitous because glucose control is the
centerpiece of diabetes management.  .

 - - - - -

Links of interest:

Short description of "mode error" with example:

Links regarding the Abbott products:
FDA Medwatch:
FDA News (announcement):
Abbott Laboratories website:
Abbott Laboratories "urgent correction" notice:
Abbott units of measure table:

Links regarding the Lifescan products:
FDA Medwatch:
FDA Firm Safety Alert:
FDA Class I Recall noticee:
Johnson & Johnson's Lifescan urgent recall notice (with example):

FDA Recall classifications:

Richard Cook, MD, Cognitive Technologies Laboratory, University of Chicago
(I have no commercial relationship with any pharmaceutical company or device

Richard I. Cook, MD, Assoc.Prof., Department of Anesthesia and Critical Care
Director, Cognitive Technologies Laboratory Univ. of Chicago 1-773-702-4890

When switching to backup systems is too costly

<Alan Powell <>>
Mon, 31 Oct 2005 05:18:45 +0000 (GMT)

On Friday 28 Oct '05, Standard Bank's ( ATM
network started declining 30% of transactions [i.e., you couldn't withdraw

A Standard Bank spokesman claimed:

* The problem was due to a "lack of capacity at the central processing

* A "management decision" had been taken to not switch to the backup system
until non-peak hours because the switch-over would take 40 minutes during
which time the entire ATM network [country-wide!] would be offline.

* The fault arose additional processing capacity had been added to the
centra processing unit to cater for the busy season.

[Anyone care to enumerate all the ways they could improve on the
availability and redundancy of their system?]

In-car GPS navigation - when it causes an accident

<Mike Scott <>>
Thu, 27 Oct 2005 12:07:34 +0100

I've been wondering about getting an in-car GPS navigator, but I'm beginning
to wonder about the wisdom of this.

My son was being driven by a friend in London. The friend's car was equipped
with some sort of GPS navigation. They were driving eastbound along the
north side of the River Thames, intending to cross at Tower bridge to a
destination on the south side of the river. The GPS said "turn right" when
they reached the bridge. The only snag is that this is a one-way system. To
cross the bridge you turn left, *away* from the bridge, and drive right
round the block. Unfortunately, said friend payed more attention to the GPS
than the road signing, and very nearly collided with a car coming the other

I now wonder what liability the makers of such equipment have. At the very
least, an inaccurate system can be a distraction on a busy road, and
conflicts in data to a driver can cause delays in reaction. At worst, it
could cause a fatal accident.

Incidentally, I get very irked by my Garmin GPS72, which powers up with a
screen that says "All data is presented for reference only.  You [the user]
assume total responsibility and risk...." Yet from their website: "Garmin
products make it easy to get there and back. These rugged navigators are
built to handle the Great Outdoors -- and still keep you on track." I'm not
sure they can have it both ways!

Bank Shares Suspended After Annual Results Released Early

<David Shaw <>>
Thu, 3 Nov 2005 09:49:40 +1100

Westpac (, a large Australian bank, was forced to halt
trading on its shares and deliver its annual profit briefing a day early
after it accidentally sent its results by email to research analysts.

A template containing past results was sent to analysts. It was soon
discovered that the new figures were embedded in the spreadsheet and were
accessible with via "a minor manipulation". Analysts telephoned the bank to
report the error and the template was recalled.

But the damage was done. The Australian Stock Exchange was notified and
trading was suspended as it appeared that some people had access to
information not generally available to the market. The bank then brought
forward its results announcement.

Westpac Chief Financial Officer, Philip Chronican, said there was no
evidence that the figures had been circulated and there were no signs of
disorderly trading in Westpac shares. He added: "It is not just one error,
it is a compounding of two or three errors ... We will obviously be
conducting a full inquiry to make sure it doesn't happen again."

More detail at:

They needed a real firewall!

<Jeremy Epstein <>>
Thu, 3 Nov 2005 09:04:07 -0800

I received this note today:

> Due to a serious fire at the University of Southampton, UK, the
> website and mailing lists are temporarily unavailable.  [...]
> Information about the fire can be found at:

Perhaps they needed a real (physical/architectural) firewall to protect
their servers?

More seriously, just a reminder that as much as we worry about
cybersecurity, physical problems can be just as serious a threat to
continuity.  [The report indicates that the fire was accidental; whether the
destruction was accidental or intentional, it's a very effective Denial of

UNH alumni directory misreports 500 deaths

<Monty Solomon <>>
Fri, 4 Nov 2005 08:47:36 -0500

On 2 Nov 2005, 63-year-old Sandra Keans was preparing for her City Council
race.  The next day, she discovered that she and 500 other graduates of the
University of New Hampshire had been listed as deceased in the annual alumni
directory.  This was attributed to "a foible of fatal proportions" resulting
from a publishing technician's error.  [Source: 'Dead' alumni walking: UNH
report of their demise greatly exaggerated Maria Cramer and Emma Stickgold,
*The Boston Globe*, 4 Nov 2005; PGN-ed]

"Chip and PIN" - whose goods are you paying for?

<"Andrew Law" <>>
Tue, 15 Nov 2005 12:47:31 -0000

Over the last few months, almost all UK retailers who can take credit or
debit card payments have been switching to the use of "Chip and PIN" card
readers instead of the older system in which the customer signs a sales
invoice. The card reader scans the customer card, the customer then types in
his or her PIN to the numeric keypad on the reader, and the system then
verifies that the card details and PIN match. This is believed to be more
secure than relying on signatures, which in general is probably true.
However, it may lead to some interesting side effects...

Last week, one of my colleagues was in the Waitrose supermarket near our
office. When she came to pay with her credit card, she was asked to type per
PIN into the keypad as normal. As the cashier was handing the receipts over,
she spotted something rather odd. The itemised till receipt correctly showed
the goods which she had taken from the shelves and which had been scanned in
by the barcode reader at the checkout. The sales receipt, however, showed a
different amount, indicating that she had been billed for the wrong amount.
My colleague and the cashier realised that she had in fact paid an amount
which exactly matched the value of the goods of the previous customer, who
had paid by cash instead of credit card.

After having spotted that there was a discrepancy, it took 20 minutes for a
supervisor to sort out the mess.

The RISK here would seem to be that the "chip and PIN" system is not
automatically synchronised with the rest of the checkout, and that customers
may be being charged for the wrong amount on an ongoing basis if the cashier
is not aware to check the receipts for consistency.

This morning, our local supermarket has reverted to using the signature
method for checking identity.

Andy Law

More Excel risks

<"Patrick O'Beirne" <>>
Fri, 04 Nov 2005 10:02:49 +0000

Seen on the Excel-L list:
(Blacked out squares indeed - somebody thought that black shading would
hide text!)
 - - - -
<Start of copied data>

Westpac was forced to halt trading on its shares and deliver its annual
profit briefing a day early after it accidentally sent its results by email
to research analysts.

Details of the $2.818 billion record profit result for the 12 months to
September 30, which were due to be announced this morning, were overshadowed
by concerns that some information may have been leaked to the market.

The new figures were embedded in a template of last year's results and were
accessible with minor manipulation of the spreadsheet.

"A trading halt is not a trivial issue and therefore not a decision we took
lightly," Mr Chronican said.

"It is not just one error, it is a compounding of two or three errors.
We will obviously be conducting a full inquiry to make sure it doesn't
happen again."
<end of copied data>


 - - - -

Another one for the collection, from Richard on the Excel-L list:
File Properties can be changed even in 'protected' workbook

>Just another oh-by-the-way...
>use the workbook properties with caution.  I used to store various version
>info here, but later realised that this can be accessed and changed by
>using windows explorer.
>Even if the structure of the workbook is password protected (preventing a
>normal user from accessing the workbook properties tabs)
>Nifty eh?
> - - - -
>The EXCEL-L list is hosted on a Windows NT(TM) machine running L-Soft
>international's LISTSERV(R) software.  For subscription/signoff info
>and archives, see .

Patrick O'Beirne FICS, Systems Modelling Ltd.  +353 55 22294  Spreadsheet Auditing Methodology

Irony in certificate-land

<Jeremy Epstein <>>
Thu, 27 Oct 2005 15:01:21 -0400

It always amuses me when security companies mess up their security.  If
you're planning to attend the RSA Conference, you can go to, which points you to
their travel agency at  The
latter has an expired certificate.

You'd think that RSA, of all folks, would ensure that their certificates are

Risks of applying to law school

<Tony Lima <>>
Thu, 10 Nov 2005 10:44:21 -0800

No, not the risks you're thinking of.

A friend is applying to law school.  He's young but knows something about
computers.  Law schools collaborate with the Law School Admissions Council
( to use a single application form.  This form is
created using OmniForm (published by Nuance, formerly known as ScanSoft).
OmniForm requires that you install an ActiveX control on your computer.
This control apparently only works on Windows computers.  Macs are not
welcome. (So much for "Legally Blonde.") Linux and other flavors of UNIX are
beyond the pale.

My friend was mumbling obscenities about installing this control.  The
computer he was working on apparently died during the process so I took a
deep breath and said he could work with my notebook computer.  He dug into
the application, got to the ActiveX installation screen and the control
refused to install.  At that point I took over (not wanting him messing with
my security settings).  I finally got the control to install after doing the

- Disabling my anti-spyware software (ewido security suite).  I then tried
to install the control with no luck.

- Setting the privacy permission for to "allow."  Again no luck
installing the control.

- Eliminating all security by making the security settings (Tools/Internet
Options/Security/Custom Level) completely open.  I enabled each and every
ActiveX and other control including unsigned controls and controls marked as
not safe.  The control then installed successfully.

Now perhaps I didn't have to go quite that far but a deadline was
approaching and I really didn't want to take the time to perform the trial
and error that would apparently be required to determine exactly how much
security to give up.

It occurs to me that this is truly THE law school admission test.  If you're
dumb enough to let this control install you're probably good law school
material.  OTOH if you don't let the control through then you're too smart
to be a lawyer.  (That's about all the humor I can manage after 1.5 hours
fighting with this stuff.  I've disconnected from the net and am running my
usual four scanning programs right now.)

Tony Lima, Prof. of Economics, California State University, East Bay  (510) 885-3889

Producing Error-Free Software is Hard

Mon, 14 Nov 2005 20:11:03 -0600 (CST)

I installed a more recent release of Linux on two desktop machines with no
problems.  When I tried to do a similar upgrade on my laptop I ran into
trouble.  The X window system produced a blank white screen instead of a
functioning window system.

Checking with a discussion board revealed that several other people were
having the same problem, and called it several different things.  It did
seem to involve certain makes of video hardware.  I found a pointer to a bug
tracking system run by the people who produce the Linux distribution.

The bug had been reported there, several times in fact, and eventually the
several bugs were recognized as being the same and were merged into one.
Someone had figured out which library module of the X window system was
causing them problem.  He suggested a work-around of replacing that module
with the one from the previous release of Linux, since that would restore
correct operation.

Someone figured out exactly which line of code was causing the problem.  It
was being completely optimized away by the compiler, and needed to be
executed repeatedly.  He suggested a way to change the code so it would not
be optimized away, or compile with less aggressive optimization, or compile
with a previous version of the compiler.  Changing the code was rejected on
the grounds that there might be hundreds of other instances of the same code
throughout the system.  They would all have to be located and changed to
insure correct operation.

So the problem escaped being referred to the X window system people and was
instead referred to the compiler people.  They studied the offending line of
code and discussed at some length whether it was or was not correct behavior
for the compiler to optimize it away.  Some were of the opinion that the
problem should be referred to the keepers of the C language specification,
since there was disagreement about what the compiler should do with such a
line of code.  But one of their number decided that ambiguity or not,
updating the compiler should not break things that previously worked unless
the previous behavior was demonstrably wrong; so he made a change to the

This was picked up by the keepers of the Linux distribution, who made the
updated compiler available and then recompiled the X window system and made
that available as an update.  One could argue whether they should have
recompiled the entire distribution, since there is no telling how many other
programs and libraries in the system might be affected by the compiler
anomaly.  Not doing so seems reasonable enough, since it would take
resources away from fixing other bugs that have other causes.

US Military removes Word documents from the Web?

<Diomidis Spinellis <>>
Wed, 09 Nov 2005 19:25:34 +0300

In RISKS-23.50 ("U.S. military sites offer a quarter million Microsoft Word
documents"), I wrote about the large number of Microsoft Word documents
visible on US military sites (sites in the .mil domain) through Google
searches. The article documented how such documents could lead to the
leakage of confidential data. A week later I set up a script to watch the
number of Word documents available through Google searches on various TLDs
to see if and when the military would recognize the threat those documents
posed and remove them.

According to the data I gathered the number of Word documents in .mil sites
returned by Google peaked at 1,180,000 on September 20th 2005, and then
started gradually declining. Currently there are 942,000 documents
online. No such decline was visible on other domains I monitored, so the
change is probably not an artifact of Google's collection or query
mechanisms, but an organized move by the US military.  Maybe somebody
understood the risk associated with these documents and was in a position to

I've placed the charts illustrating the trends online at

Please report problems with the web pages to the maintainer