The RISKS Digest
Volume 24 Issue 71

Tuesday, 26th June 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


DHS = Department of Holey Security?
United Airlines cites 'human error' for glitch
Mark J Bennison
Cause of Gripen "spontaneous ejection"
Paul E. Black
Crispin Cowan
Transport system complexity presents insurmountable risk?
Mike Martin
Improving reliability of critical software
Jeremy Epstein
Paul E. Black
More people die from sand hole collapses than sharks
Jeremy Epstein
E-vote 'threat' to UK democracy
David Lesher
Reality TV, video archives and on-line voting
Robin Fairbairns
A movie torpedoes the concept of electronic voting?
Ferdinand J. Reinke
Information leaked from web order page
Bruce Hamilton
Not much e-mail is protected from government search
Andrew Klossner
Re: Search Engine Dispute Notifications
Crispin Cowan
Advertising Risk
Rob Boudrie
Not Talking About vs. Not Doing
Gene Wirchenko
Info on RISKS (comp.risks)

DHS = Department of Holey Security?

<"Peter G. Neumann" <>>
Wed, 20 Jun 2007 18:12:36 PDT

  [See my recent testimony on Security and Privacy in the Employment
  Eligibility Verification System (EEVS), for a hearing of the House Ways
  and Means Committee Subcommittee on Social Security:   and
  DHS is responsible for EEVS.  The prototype has a four-percent error rate
  overall, which is reportedly much higher among eligible would-be employees
  who are not U.S. citizens.  PGN]

"Homeland Security Department computers and cyber systems have been infected
with viruses and malicious scripts that could compromise passwords and
information on U.S. citizens, intelligence operations and the nation's
critical infrastructure.  ... A draft report from the Homeland Security
Department's inspector general found that two computer systems at the
department's headquarters were infected with scripts that could compromise
passwords and allow unauthorized access by outsiders."  [Source: Chris
Strohm, CongressDaily, 19 June 2007, PGN-excerpted.]

  [The article by Chris Strohm was written in anticipation of another
  hearing by the same subcommittee on the same subject.  Annie Anton's
  written testimony for that hearing is also online:

United Airlines cites 'human error' for glitch

<"Bennison, Mark J" <>>
Fri, 22 Jun 2007 07:49:21 +0100

  'Chief Operating Officer Pete McDonald said the error occurred during
  routine system testing.  "Yesterday, an employee made a mistake and caused
  the failure of both Unimatic and our backup system," he said in the
  recorded call to employees. He did not elaborate on the error.'

For such a critical system one wonders why both the main and backup system
failed as a result of the mistake - indicating a lack of robustness in the
system design to me - but moreover why "routine system testing" was being
performed on a live system during peak times? In the UK I believe that
system testing (and upgrades etc) of airline computer systems occurs
overnight (OK, the concept of 'overnight' for a worldwide system is moot,
but it is performed at times of least activity).

  [See also an earlier report from 20 Jun 2007,
  Computer outage grounds United for 2 hours

Cause of Gripen "spontaneous ejection" (Re: Lima, RISKS-24.70)

<"Paul E. Black" <>>
Thu, 21 Jun 2007 13:44:25 -0400

A comment on the article by "maddogone" says, "The tests show it was the
G-suit which activated the ejection.  ... when it filled with air it pressed
against the release handle"

For an explanation of an anti-G suit, see

Cause of Gripen "spontaneous ejection" (Re: Lima, RISKS-24.70)

<Crispin Cowan <>>
Wed, 20 Jun 2007 10:41:20 -0700

Is this really a case of complex systems interaction producing unpredictable
results? Or is it that high G-forces tripped the switch to induce ejection?
The latter is just defective design of a single component with respect to
the environment it was intended for.

Crispin Cowan, Ph.D., Director of Software Engineering
AppArmor Chat:

Transport system complexity presents insurmountable risk?

<"mike martin" <>>
Thu, 21 Jun 2007 18:05:09 +1000

How difficult is it to collect a bus fare or commuter rail fare?

The state of New South Wales was to have an integrated, smartcard-based
ticketing system covering all modes of public transport other than taxis, in
time for the Sydney 2000 Olympic Games.

The system is still not working. A recent pilot trial in buses was called
off when the 420 bus drivers involved voted to boycott it. The ticket
machines kept crashing and bus drivers had to stop each time to fix them,

All well and good; it sounds like any number of other projects where
governments have been let down by technology. There is an oddity here
though. The firm selected to provide the ticketing system, ERG Group, has
been a partner in over a dozen successful projects around the world,
including the Hong Kong Octopus system, claimed to be the largest of its
type. It has supplied similar ticketing systems in San Francisco and
Washington, DC. What's unique about NSW that has caused such protracted

Yesterday a report in The Australian Financial Review (unavailable online)
gave a hint as to what the real problem is:

  "Transport experts have repeatedly warned that NSW's more than 70
  individual public transport fare products is unnecessarily large and will
  require dramatic simplification in order for an integrated ticketing
  system to be successful across all modes of transport.

  "The NSW government conceded yesterday that it would need to substantially
  simplify fare structures to make the Tcard project a reality. The most
  likely option was a system of distance-based zones similar to that of most
  other metropolitan transport authorities."

It is 11 years since the Public Transport Authority of NSW was set up to
pursue integrated ticketing as a means of increasing the attractiveness of
public transport. It appears that the government may have finally realised
what "integrated" really means.

Mike Martin, Sydney <>

Improving reliability of critical software (Re: Auslander, R-24.70)

<"Jeremy Epstein" <>>
Thu, 21 Jun 2007 12:28:42 -0400

It's a very appealing idea, but one that doesn't work.  N-version
programming has been studied, and the essential problem is that the teams
tend to make the same mistakes, and also that determining a "mismatch" is
harder than it sounds.  See J. C. Knight and N. G. Leveson. "An
experimental evaluation of the assumption of independence in multiversion
programming". In IEEE Transactions on Software Engineering, SE-12(1):96-109,
January 1986.

There's a good summary of the issues at

Take as an example the problem of building a browser, which I'd argue is one
of the biggest real-world N-version programming examples ever tried: there
are some reasonably detailed specifications as to protocols (e.g., HTTP),
layout (e.g., HTML), etc. - but there are many web sites that work (or look
"right") with one but not another browser - even setting aside features
specific to one browser (such as ActiveX).  A decision function would have a
very difficult time deciding whether the browsers give consistent results
for the specifications.

>The space shuttle software has used this technique for quite a while.

The Space Shuttle does *not* use N-version programming - it uses identical
instances of the same software, and uses redundancy to account for hardware
failures.  Again, a good explanation of the methodology used is at

The RISK?  Assuming that having multiple independent version is going to
solve mission critical reliability problems!

Improving reliability of critical software (Re: Auslander, R-24.70)

<"Paul E. Black" <>>
Thu, 21 Jun 2007 14:31:00 -0400

N-version programming to improve reliability of critical software?

N-version programming may lead to much higher quality IF errors are
independent.  Hatton 1997 cites studies that support sufficient
independence.  Brilliant, Knight, and Leveson 1990 reported that in an
experiment programmers made "equivalent logical errors" and different
logical errors caused "statistically correlated failures".  So it is no

More people die from sand hole collapses than sharks

<"Jeremy Epstein" <>>
Thu, 21 Jun 2007 08:26:19 -0400

Interesting article comparing the number of people killed in the US each
year from the collapse of sand holes (i.e., holes dug in the beach) vs.
shark attacks.  A good explanation that people are "People naturally worry
about splashier threats, such as shark attacks. However, the Marons'
research found there were 16 sand hole or tunnel deaths in the United States
from 1990 to 2006 compared with 12 fatal shark attacks for the same period".

This echoes a point frequently made in RISKS, so it should be no surprise to
any readers here.

Will legislators call for laws to improve safety and protect against
terrorists by banning sand?

Full article:

E-vote 'threat' to UK democracy

<David Lesher <>>
Mon, 25 Jun 2007 09:37:54 -0400

E-vote 'threat' to UK democracy
Ballot boxes, BBC
Observers saw big problems with e-counting systems
British democracy could be undermined by moves to use electronic voting
in elections, warns a report.

The risks involved in swapping paper ballots for electronic versions far
outweigh any benefits they may have, says the Open Rights Group report.

Technical chaos hits local counts ballot box Technical difficulties blighted
the counts in the west of Scotland Voters in the west of Scotland have been
hit by chaos during the Scottish parliamentary elections.

Counts in Argyll and Bute, Eastwood, and Strathkelvin and Bearsden were
suspended until later on Friday due to technical problems.

The problem at the Strathkelvin and Bearsden count occurred when the
computer system could not validate the votes that had been counted so far.

America's presidential election could be one of the closest in history, and
in the past four years there has been a great deal of pressure to come up
with a foolproof, electronic voting system. Ian Hardy reports on whether or
not that has been achieved.

Debate about e-voting technology may be only just beginning According to
officials in Fairfax County, the latest e-voting technology is simple,
straightforward and sure-fire.

The county's electoral official, Blanche Kapustin, says: "When they look at
the screen they'll see that the name of the person they've selected has
turned red. There's also a gigantic tick mark next to that person's name.

"They return to the summary screen, press the "next" button and once they
press the "vote" button that's the end."

The data, which is collected on a memory device, is taken to a central
location to be processed.

But opponents of e-voting say the current system is fundamentally flawed
because there is no way that a voter's intent can ever be proved by anyone,
once they have walked away from the screen.

Reality TV, video archives and on-line voting

<Robin Fairbairns <>>
Thu, 21 Jun 2007 17:44:26 +0100

One of the (apparently) less offensive sorts of reality TV in the UK is the
show where someone is chosen to perform a part in an upcoming stage

The BBC was doing one to choose a leading man for a new West-End production
of "Joseph and his amazing technicolour dreamcoat", and they had the rather
pleasing idea of finding a children's choir to perform alongside the chosen
singer in the final.  The choir was to be made up of children no older than
11; the world at large was to get the opportunity of voting on 1-minute
video clips of schools, and one of those voted into the top 20 would then be
chosen by Andrew Lloyd Webber himself (the composer of "Joseph").

Cue frenzy among the primary-school music teachers of the UK.  Existing
school choirs started learning the music for their clip; a fair few schools
decided to form a choir of their own; arrangements had to be made for
recording the clip, and so on, and so on.  This was all to the good:
everyone (who cares) is worried about music in British schools, and here was
real motivation.

But then it started to go wrong.  Very soon after the first schools had
uploaded their clips, it was clear that the server wasn't sized for the
demands that were to be placed on it.  The first time I looked at the site,
there were several-minute delays each time I asked for another performance
to consider; there were less than 200 clips on line, at the time, and voting
hadn't yet started.

It was clear the BBC hadn't realised the reaction they were going to get.
For every school that entered a choir, there were 20 children, the
children's families, the school's teachers, and assorted hangers-on like me
(my wife is a teacher).  Nearly 850 schools had entered, by the end.

The voting scheme was that each vote had to give a choir a score in the
range 1-5; places were to be decided by the choir's "average" score over all
votes they had received.  Each voter could vote for as many choirs as she
had time for.  None of the organisers seems to have considered the obvious
weakness of such a voting system.

Voter registration seems to have been on the basis of IP address — a blow
for schools (or homes) all of whose computers are NAT-addressed, and for
homes where there's only one computer with several users.

Within a few days of the server operating by fits and starts, they closed
the voting and said they were thinking again.  When voting restarted,
registration was by email address/password, entering those on-line on the
Joseph site — something I suspect will have been a disincentive to some.
The site was, however, responsive at this stage.

But even though voting was underway again, it was clear that not all was as
it should be.  The "top 20", which appeared on your screen whenever you
connected, hardly seemed to move though some of them were, in all honesty,
less deserving than many of those further down the table.

The BBC blamed the voters.  "Block voting", they said, was the order of the
day; but it's impossible to know what was actually happening since the BBC
weren't forthcoming about the details.  (It has to be said that the site
managers — BBC contractors, not BBC people — responded promptly to
reasonable enquiries.)

Eventually, even the BBC seemed to agree that even the revised voting system
was not fit for purpose.  Having delayed beyond their original deadline for
announcing the finalists, they admitted defeat on the on-line voting, and
closed the voting site.  They recruited a panel to view all the clips to
choose the top few for Lloyd Webber to review.

The school that was finally chosen hadn't appeared near the top on-line, and
I, for one, didn't see its clip.  One hopes it was better than all the
*extremely* good schools I viewed, but since the BBC withdrew all clips when
they gave up on the voting, I shan't ever know.  And I don't have a TV, so I
never saw them performing at all.

Oh, and my wife's choir was far lower in the voting than it merited.  (I
have to admit that though it's good, it wasn't up there with the very best.)
I gave it 5...

Risks: well, lots.  Don't underestimate the popularity of your site.  Don't
invent crocked voting systems; don't try to rehash your voting system on the
fly.  In short: accept that this sort of thing isn't "easy".

Of course, we don't know what advice the BBC had, so we'll never know if the
cause was the BBC managers rejecting advice on cost grounds, or their
software contractors getting the design wrong.  I can guess a scenario, but
I wouldn't care to publish it.

Robin Fairbairns — University of Cambridge Computer Laboratory

A movie torpedoes the concept of electronic voting?

<"r @ reinke" <>>
Sun, 24 Jun 2007 00:39:08 -0400

Man of the Year, with Robin Williams as President Elect Tom Dobbs

  Tom Dobbs, comedic host of a political talk show - a la Bill Maher and Jon
  Stewart - runs for President of the US as an independent candidate who,
  after an issues-oriented campaign and an explosive performance in the
  final debate, gets just enough votes to win. Trouble is he owes his
  victory to a computer glitch in the national touch-screen voting system
  marketed by Delacroy, a private company with a rising stock price. To
  protect their fortune, Delacroy executives want to keep the glitch a
  secret, but one programmer, Eleanor Green, wants Dobbs to know the
  truth. Can she get to him?  Written by jhailey.

Correct me if I am wrong, but did this movie just put a stake thru the heart
of the vampire known as "electronic voting"?

Systems provided by Delacroy ... err I mean Diebold ... could manipulate the
results of an election. Based on the movie, I've just emailed Ron Paul to
change his name to Ron Paaul. (SPOILER: In the movie, the buggy computer
program elects the candidate with the "best" double letter.) So if anyone
wants to debate about paperless electronic Internet voting and tell you how
good it will be yada yada yada, just rent them this movie. That should
finish up the discussion!

They say many a true word is said in jest.

Some times concepts can get thru via humor. My non-techie spouse said after
watching this that it would now never be approved here. Hope she's right.

This film IMHO says it all about that topic. And, says it in way that comes
across to the average person.

p.s.: The movie did have one other great line. Tom Dobbs says "Politicians
are a lot like diapers. They should be changed frequently, and for the same
reasons."  If you gather I'm no fan of politicians, you're correct. They are
like diapers!

Ferdinand J. Reinke, Kendall Park, NJ 08824

  [Well, the script writers for the film relied on a plot hook relating to a
  rather amusing accidental misprogramming rather than a Trojan horse.  The
  latter might have been more effective in making the case.  Incidentally,
  we don't generally reveal plot hooks in RISKS.  However, this film has
  been around long enough (for example, it's been on several flights with
  me well after I had seen the first run).  PGN]

Information leaked from web order page

Thu, 21 Jun 2007 11:09:22 -0600

I just placed an order with MYSTICMAID ( One checkout
step was to fill in the usual - name, address, email, phone, etc.  The page
offered to me was already filled in with someone else's information!  A
quick check showed that the phone number matched the name; I suspect that
the address, email and other items matched also.

The shopping cart software let me use that information to proceed with the
purchase, but the credit card number was not pre-filled in :-)

At least the person I called at the company expressed concern and said they
would look into it.  Tel: +1 408 553 2818   Fax: +1 408 553 3487
Agilent Technologies MS 4U-SM P.O. Box 58059, Santa Clara, CA 95051-7201

Not much e-mail is protected from government search

<Andrew Klossner <>>
Wed, 20 Jun 2007 13:24:36 -0700

The EFF press release starts out "San Francisco - The government must have a
search warrant," but in fact the ruling does not apply in San Francisco.  It
applies only in Kentucky, Michigan, Ohio, and Tennessee, the states in the
jurisdiction of the Sixth District Court of Appeals.

If the ruling is appealed to the Supreme Court, their judgment will
apply to the entire country.

Re: Search Engine Dispute Notifications (Weinstein, RISKS-24.70)

<Crispin Cowan <>>
Wed, 20 Jun 2007 15:36:28 -0700

I see a simple solution to this problem: individuals who feel defamed by
slanderous web sites just need to copyright or otherwise classify that
information about themselves as intellectual property, and then issue a DMCA
take-down order.  :-)

Crispin Cowan, Ph.D., Director of Software Engineering
AppArmor Chat:

Advertising Risk

<"Rob Boudrie" <>>
Fri, 22 Jun 2007 10:53:27 -0400

The recent disaster at Six Flags/KY where a kid had his feet severed by a
ride shows the risks of automated ad selection systems.  I viewed the video
of the story at on-line on a KY tv station, and there was the typical
automatically selected commercial one had to watch to get to the story.  The
commercial was an ad for the same Six Flags amusement park covered in the

Not Talking About vs. Not Doing

<Gene Wirchenko <>>
Wed, 20 Jun 2007 17:36:11 -0700
covers an interesting risk regarding a status change.  The key part:

  'My fiancee and I decided that showing our engagement in Facebook gave out
  a little too much personal information.

  But I did not realize that unchecking the box marked "Thomas Crampton is
  engaged to Thuy-Tien Tran" would send a message to everyone connected to
  us in Facebook that "Thomas Crampton and Thuy-Tien Tran are no longer

Complications ensued.

Please report problems with the web pages to the maintainer