[See my recent testimony on Security and Privacy in the Employment Eligibility Verification System (EEVS), for a hearing of the House Ways and Means Committee Subcommittee on Social Security: http://www.csl.sri.com/neumann/house07.pdf and http://www.acm.org/usacm/PDF/EEVS_Testimony_Peter_Neumann_USACM.pdf DHS is responsible for EEVS. The prototype has a four-percent error rate overall, which is reportedly much higher among eligible would-be employees who are not U.S. citizens. PGN] "Homeland Security Department computers and cyber systems have been infected with viruses and malicious scripts that could compromise passwords and information on U.S. citizens, intelligence operations and the nation's critical infrastructure. ... A draft report from the Homeland Security Department's inspector general found that two computer systems at the department's headquarters were infected with scripts that could compromise passwords and allow unauthorized access by outsiders." [Source: Chris Strohm, CongressDaily, 19 June 2007, PGN-excerpted.] http://govexec.com/dailyfed/0607/061907cdpm2.htm [The article by Chris Strohm was written in anticipation of another hearing by the same subcommittee on the same subject. Annie Anton's written testimony for that hearing is also online: http://www.acm.org/usacm/PDF/SSN_Anton_USACM_testimony.pdf PGN]
'Chief Operating Officer Pete McDonald said the error occurred during routine system testing. "Yesterday, an employee made a mistake and caused the failure of both Unimatic and our backup system," he said in the recorded call to employees. He did not elaborate on the error.' For such a critical system one wonders why both the main and backup system failed as a result of the mistake - indicating a lack of robustness in the system design to me - but moreover why "routine system testing" was being performed on a live system during peak times? In the UK I believe that system testing (and upgrades etc) of airline computer systems occurs overnight (OK, the concept of 'overnight' for a worldwide system is moot, but it is performed at times of least activity). [See also an earlier report from 20 Jun 2007, Computer outage grounds United for 2 hours http://www.cnn.com/2007/TRAVEL/06/20/united.flights.ap/index.html PGN]
A comment on the article by "maddogone" says, "The tests show it was the G-suit which activated the ejection. ... when it filled with air it pressed against the release handle" For an explanation of an anti-G suit, see http://www.daviddarling.info/encyclopedia/A/antigsuit.html
Is this really a case of complex systems interaction producing unpredictable results? Or is it that high G-forces tripped the switch to induce ejection? The latter is just defective design of a single component with respect to the environment it was intended for. Crispin Cowan, Ph.D., Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor http://crispincowan.com/~crispin/
How difficult is it to collect a bus fare or commuter rail fare? The state of New South Wales was to have an integrated, smartcard-based ticketing system covering all modes of public transport other than taxis, in time for the Sydney 2000 Olympic Games. The system is still not working. A recent pilot trial in buses was called off when the 420 bus drivers involved voted to boycott it. The ticket machines kept crashing and bus drivers had to stop each time to fix them, http://www.smh.com.au/news/national/driver-boycott-delays-tcard-once-again/2007/06/14/1181414469692.html All well and good; it sounds like any number of other projects where governments have been let down by technology. There is an oddity here though. The firm selected to provide the ticketing system, ERG Group, has been a partner in over a dozen successful projects around the world, including the Hong Kong Octopus system, claimed to be the largest of its type. It has supplied similar ticketing systems in San Francisco and Washington, DC. What's unique about NSW that has caused such protracted delays? Yesterday a report in The Australian Financial Review (unavailable online) gave a hint as to what the real problem is: "Transport experts have repeatedly warned that NSW's more than 70 individual public transport fare products is unnecessarily large and will require dramatic simplification in order for an integrated ticketing system to be successful across all modes of transport. "The NSW government conceded yesterday that it would need to substantially simplify fare structures to make the Tcard project a reality. The most likely option was a system of distance-based zones similar to that of most other metropolitan transport authorities." It is 11 years since the Public Transport Authority of NSW was set up to pursue integrated ticketing as a means of increasing the attractiveness of public transport. It appears that the government may have finally realised what "integrated" really means. Mike Martin, Sydney <email@example.com>
It's a very appealing idea, but one that doesn't work. N-version programming has been studied, and the essential problem is that the teams tend to make the same mistakes, and also that determining a "mismatch" is harder than it sounds. See J. C. Knight and N. G. Leveson. "An experimental evaluation of the assumption of independence in multiversion programming". In IEEE Transactions on Software Engineering, SE-12(1):96-109, January 1986. There's a good summary of the issues at http://en.wikipedia.org/wiki/N-Version_Programming. Take as an example the problem of building a browser, which I'd argue is one of the biggest real-world N-version programming examples ever tried: there are some reasonably detailed specifications as to protocols (e.g., HTTP), layout (e.g., HTML), etc. - but there are many web sites that work (or look "right") with one but not another browser - even setting aside features specific to one browser (such as ActiveX). A decision function would have a very difficult time deciding whether the browsers give consistent results for the specifications. >The space shuttle software has used this technique for quite a while. The Space Shuttle does *not* use N-version programming - it uses identical instances of the same software, and uses redundancy to account for hardware failures. Again, a good explanation of the methodology used is at http://en.wikipedia.org/wiki/Space_shuttle. The RISK? Assuming that having multiple independent version is going to solve mission critical reliability problems!
N-version programming to improve reliability of critical software? N-version programming may lead to much higher quality IF errors are independent. Hatton 1997 cites studies that support sufficient independence. Brilliant, Knight, and Leveson 1990 reported that in an experiment programmers made "equivalent logical errors" and different logical errors caused "statistically correlated failures". So it is no panacea.
Interesting article comparing the number of people killed in the US each year from the collapse of sand holes (i.e., holes dug in the beach) vs. shark attacks. A good explanation that people are "People naturally worry about splashier threats, such as shark attacks. However, the Marons' research found there were 16 sand hole or tunnel deaths in the United States from 1990 to 2006 compared with 12 fatal shark attacks for the same period". This echoes a point frequently made in RISKS, so it should be no surprise to any readers here. Will legislators call for laws to improve safety and protect against terrorists by banning sand? Full article: http://www.cnn.com/2007/HEALTH/06/20/sand.deaths.ap/index.html
E-vote 'threat' to UK democracy Ballot boxes, BBC Observers saw big problems with e-counting systems British democracy could be undermined by moves to use electronic voting in elections, warns a report. http://news.bbc.co.uk/1/hi/technology/6229640.stm The risks involved in swapping paper ballots for electronic versions far outweigh any benefits they may have, says the Open Rights Group report. Technical chaos hits local counts ballot box Technical difficulties blighted the counts in the west of Scotland Voters in the west of Scotland have been hit by chaos during the Scottish parliamentary elections. http://news.bbc.co.uk/2/hi/uk_news/scotland/glasgow_and_west/6623239.stm Counts in Argyll and Bute, Eastwood, and Strathkelvin and Bearsden were suspended until later on Friday due to technical problems. The problem at the Strathkelvin and Bearsden count occurred when the computer system could not validate the votes that had been counted so far. http://news.bbc.co.uk/2/hi/programmes/click_online/3945675.stm America's presidential election could be one of the closest in history, and in the past four years there has been a great deal of pressure to come up with a foolproof, electronic voting system. Ian Hardy reports on whether or not that has been achieved. Debate about e-voting technology may be only just beginning According to officials in Fairfax County, the latest e-voting technology is simple, straightforward and sure-fire. The county's electoral official, Blanche Kapustin, says: "When they look at the screen they'll see that the name of the person they've selected has turned red. There's also a gigantic tick mark next to that person's name. "They return to the summary screen, press the "next" button and once they press the "vote" button that's the end." The data, which is collected on a memory device, is taken to a central location to be processed. But opponents of e-voting say the current system is fundamentally flawed because there is no way that a voter's intent can ever be proved by anyone, once they have walked away from the screen.
One of the (apparently) less offensive sorts of reality TV in the UK is the show where someone is chosen to perform a part in an upcoming stage production. The BBC was doing one to choose a leading man for a new West-End production of "Joseph and his amazing technicolour dreamcoat", and they had the rather pleasing idea of finding a children's choir to perform alongside the chosen singer in the final. The choir was to be made up of children no older than 11; the world at large was to get the opportunity of voting on 1-minute video clips of schools, and one of those voted into the top 20 would then be chosen by Andrew Lloyd Webber himself (the composer of "Joseph"). Cue frenzy among the primary-school music teachers of the UK. Existing school choirs started learning the music for their clip; a fair few schools decided to form a choir of their own; arrangements had to be made for recording the clip, and so on, and so on. This was all to the good: everyone (who cares) is worried about music in British schools, and here was real motivation. But then it started to go wrong. Very soon after the first schools had uploaded their clips, it was clear that the server wasn't sized for the demands that were to be placed on it. The first time I looked at the site, there were several-minute delays each time I asked for another performance to consider; there were less than 200 clips on line, at the time, and voting hadn't yet started. It was clear the BBC hadn't realised the reaction they were going to get. For every school that entered a choir, there were 20 children, the children's families, the school's teachers, and assorted hangers-on like me (my wife is a teacher). Nearly 850 schools had entered, by the end. The voting scheme was that each vote had to give a choir a score in the range 1-5; places were to be decided by the choir's "average" score over all votes they had received. Each voter could vote for as many choirs as she had time for. None of the organisers seems to have considered the obvious weakness of such a voting system. Voter registration seems to have been on the basis of IP address -- a blow for schools (or homes) all of whose computers are NAT-addressed, and for homes where there's only one computer with several users. Within a few days of the server operating by fits and starts, they closed the voting and said they were thinking again. When voting restarted, registration was by email address/password, entering those on-line on the Joseph site -- something I suspect will have been a disincentive to some. The site was, however, responsive at this stage. But even though voting was underway again, it was clear that not all was as it should be. The "top 20", which appeared on your screen whenever you connected, hardly seemed to move though some of them were, in all honesty, less deserving than many of those further down the table. The BBC blamed the voters. "Block voting", they said, was the order of the day; but it's impossible to know what was actually happening since the BBC weren't forthcoming about the details. (It has to be said that the site managers -- BBC contractors, not BBC people -- responded promptly to reasonable enquiries.) Eventually, even the BBC seemed to agree that even the revised voting system was not fit for purpose. Having delayed beyond their original deadline for announcing the finalists, they admitted defeat on the on-line voting, and closed the voting site. They recruited a panel to view all the clips to choose the top few for Lloyd Webber to review. The school that was finally chosen hadn't appeared near the top on-line, and I, for one, didn't see its clip. One hopes it was better than all the *extremely* good schools I viewed, but since the BBC withdrew all clips when they gave up on the voting, I shan't ever know. And I don't have a TV, so I never saw them performing at all. Oh, and my wife's choir was far lower in the voting than it merited. (I have to admit that though it's good, it wasn't up there with the very best.) I gave it 5... Risks: well, lots. Don't underestimate the popularity of your site. Don't invent crocked voting systems; don't try to rehash your voting system on the fly. In short: accept that this sort of thing isn't "easy". Of course, we don't know what advice the BBC had, so we'll never know if the cause was the BBC managers rejecting advice on cost grounds, or their software contractors getting the design wrong. I can guess a scenario, but I wouldn't care to publish it. Robin Fairbairns -- University of Cambridge Computer Laboratory
Man of the Year, with Robin Williams as President Elect Tom Dobbs Tom Dobbs, comedic host of a political talk show - a la Bill Maher and Jon Stewart - runs for President of the US as an independent candidate who, after an issues-oriented campaign and an explosive performance in the final debate, gets just enough votes to win. Trouble is he owes his victory to a computer glitch in the national touch-screen voting system marketed by Delacroy, a private company with a rising stock price. To protect their fortune, Delacroy executives want to keep the glitch a secret, but one programmer, Eleanor Green, wants Dobbs to know the truth. Can she get to him? Written by jhailey. http://www.imdb.com/title/tt0483726/ Correct me if I am wrong, but did this movie just put a stake thru the heart of the vampire known as "electronic voting"? Systems provided by Delacroy ... err I mean Diebold ... could manipulate the results of an election. Based on the movie, I've just emailed Ron Paul to change his name to Ron Paaul. (SPOILER: In the movie, the buggy computer program elects the candidate with the "best" double letter.) So if anyone wants to debate about paperless electronic Internet voting and tell you how good it will be yada yada yada, just rent them this movie. That should finish up the discussion! They say many a true word is said in jest. Some times concepts can get thru via humor. My non-techie spouse said after watching this that it would now never be approved here. Hope she's right. This film IMHO says it all about that topic. And, says it in way that comes across to the average person. p.s.: The movie did have one other great line. Tom Dobbs says "Politicians are a lot like diapers. They should be changed frequently, and for the same reasons." If you gather I'm no fan of politicians, you're correct. They are like diapers! Ferdinand J. Reinke, Kendall Park, NJ 08824 http://www.reinke.cc/ http://www.reinkefaceslife.com/ http://www.linkedin.com/in/reinkefj [Well, the script writers for the film relied on a plot hook relating to a rather amusing accidental misprogramming rather than a Trojan horse. The latter might have been more effective in making the case. Incidentally, we don't generally reveal plot hooks in RISKS. However, this film has been around long enough (for example, it's been on several flights with me well after I had seen the first run). PGN]
I just placed an order with MYSTICMAID (www.mysticmaid.com). One checkout step was to fill in the usual - name, address, email, phone, etc. The page offered to me was already filled in with someone else's information! A quick check showed that the phone number matched the name; I suspect that the address, email and other items matched also. The shopping cart software let me use that information to proceed with the purchase, but the credit card number was not pre-filled in :-) At least the person I called at the company expressed concern and said they would look into it. firstname.lastname@example.org Tel: +1 408 553 2818 Fax: +1 408 553 3487 Agilent Technologies MS 4U-SM P.O. Box 58059, Santa Clara, CA 95051-7201
The EFF press release starts out "San Francisco - The government must have a search warrant," but in fact the ruling does not apply in San Francisco. It applies only in Kentucky, Michigan, Ohio, and Tennessee, the states in the jurisdiction of the Sixth District Court of Appeals. If the ruling is appealed to the Supreme Court, their judgment will apply to the entire country.
I see a simple solution to this problem: individuals who feel defamed by slanderous web sites just need to copyright or otherwise classify that information about themselves as intellectual property, and then issue a DMCA take-down order. :-) Crispin Cowan, Ph.D., Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor http://crispincowan.com/~crispin/
The recent disaster at Six Flags/KY where a kid had his feet severed by a ride shows the risks of automated ad selection systems. I viewed the video of the story at on-line on a KY tv station, and there was the typical automatically selected commercial one had to watch to get to the story. The commercial was an ad for the same Six Flags amusement park covered in the story.
http://thomascrampton.com/2007/06/15/perils-of-privacy-on-facebook/ covers an interesting risk regarding a status change. The key part: 'My fiancee and I decided that showing our engagement in Facebook gave out a little too much personal information. But I did not realize that unchecking the box marked "Thomas Crampton is engaged to Thuy-Tien Tran" would send a message to everyone connected to us in Facebook that "Thomas Crampton and Thuy-Tien Tran are no longer engaged".' Complications ensued.
Please report problems with the web pages to the maintainer