The RISKS Digest
Volume 24 Issue 76

Tuesday, 31st July 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Scientists' Tests Hack Into Electronic Voting Machines
California Voting System Hacking Report
Rebecca Mercuri
Earthquakes and O rings
Rod Van Meter
If this guy's telling the truth, he should never fly an airplane
Erling Kristiansen
Three little zeroes
Mark Brader
Department of Health Proposes New Records System
Comair Flight 5191
Andrew Koenig
Re: Accuracy of Hawkeye at Wimbledon
David Alexander
Re: iPhone Security Flaw
Nicholas Weaver
Re: Risk with the Mac OS X 10.4.10 version number
Richard Grady
Info on RISKS (comp.risks)

Scientists' Tests Hack Into Electronic Voting Machines

<Daniel Graifer <>>
Sat, 28 Jul 2007 13:30:35 -0400

"Computer scientists from California universities have hacked into three
electronic voting systems used in California and elsewhere in the nation and
found several ways in which vote totals could potentially be altered,
according to reports released yesterday by the state."

The article includes discussion of the current House bill to require paper
audit trails.

Source: *The New York Times*

Daniel A. Graifer  Home: 703-425-4512  Cell: 703-967-3635

California Voting System Hacking Report

<"R. Mercuri" <>>
Fri, 27 Jul 2007 20:14:59 -0400

Just in case you haven't seen this yet, here's the California Overview
of the Hacking Report:

My executive summary of the overview is as follows:

At a cost of $1.8M, the California Secretary of State now has a report that
confirms that all of the State's Hart, Diebold and Sequoia DRE and OpScan
voting systems can be hacked in various ways. Potential hacks include the
all-important ability to have a VVPAT print out one thing and the DRE total
reflect something else, thus rendering the VVPAT moot, as well as the
capability of detecting election mode (thus enabling the pre-election
testing to appear correct, while the actual election has been
compromised). All of these are types of hacks that many knowledgeable people
have been saying for years could happen, and now we know that for sure they
can. Oh, and guess what else? "The security mechanisms provided for all
systems analyzed were inadequate to ensure accuracy and integrity of the
election results." Gee, what a surprise.

Unfortunately the report provides a fall-back position whereby these
wretched election products can continue to be used — by claiming that many
of the attack scenarios can be mitigated through better physical security,
security training of staff, and contingency planning. Of course the report
fails to mention that if the staff or the vendor is corrupt and their
contingency plan is to cover up their tracks, we now know for sure that a
game plan for fraud is certainly possible. So let's just throw more money at
additional security mechanisms and training while we all pretend that we're
conducting legitimate elections. Good job, guys, thanks for letting the CA
SoS off the hook.

Here's a novel thought: why not just throw this crap in the junk heap where
it belongs, vote on paper, and let the citizens do the counting?  Maybe for
another $1.8M some State can get a team of PhDs to validate that conclusion.

Rebecca Mercuri.
Permission Granted to Post This Message in its Entirety.

California Voting System Hacking Report

<"Peter G. Neumann" <>>

Apparently along with many other Web watchers, I spent time yesterday
watching an all-day hearing of the California Secretary of State, Debra
Bowen, interrupted by frozen screens presumably resulting from too many
people trying to follow the live webcast.  In my opinion, Secretary Bowen
has consistently sought a better understanding of the integrity, accuracy,
reliability, and survivability of the electronic voting systems that are in
use in California — or the lack thereof.  (Several of us had testified in
February 2006 for her California Senate Elections Committee, with my
testimony on the relative merits of openness in voting systems available at .)

Five reports are now available on the California SoS website:
including the red-team overview, red-team analysis of Diebold, Hart, and
Sequoia systems, as well as a detailed analysis of accessibility and
usability of the three systems — conducted by Noel Runyan and Jim Tobias.
Further reports analyzing source code and documentation for each of the
three systems have not yet been released; according to the website, these
reports will be posted "as soon as the Secretary of State ensures the
reports do not inadvertently disclose security-sensitive information."

Here are my own personal comments.  (NOTE: I was *not* a part of the
Top-to-Bottom Review [TTBR], and have not been privy to any inside

I applaud analyses that provide greater sunshine in the election process,
even if they can address only a part of the total system.  (Election system
vendors have typically hidden behind proprietary status of everything --
including not only the software but also the data formats, and even internal
voting data in disputed elections.)  However, analyses must always be
considered in the context of the total system — hardware, software,
procedures, users, the physical premises, and so on.  Given various late
starts and the fixed termination date for all of the efforts that was
imposed by the hearing, the results available thus far seem worthy — albeit
clearly not surprising to those of us (including Rebecca Mercuri) who have
been involved in seeking integrity in the election process for many years.
(My involvement goes back to the mid-1980s.)  The systems have generally
been known to be lacking in good software engineering practice, built-in
security, and measures that might have obviated the need for extensive
operational procedures.  The findings of the University of California teams
can provide further evidence of that to those people — including lawmakers
-- who have not previously been exposed to the innards.

The red-team overview report, which notes the need for procedural
mitigations to overcome the existence of technological vulnerabilities,
tries to give some perspective to the public by pointing out that the
electronic voting systems are only one part of a larger process.  Long-time
RISKS readers by now know how important it is to consider the results of the
process as a whole rather than looking only at the individual pieces in
isolation.  Also, note that the overview does not say *all* flaws can be
overcome; it says that the reviewers believe *many* can be compensated for.
As Matt Bishop stated during the final question-and-answer session of
yesterday's public hearing, his personal opinion is that some flaws require
changes to the technology, rather than just procedural adjustments.  (This
occurs about 6:41:00 into the streaming video, which can be found at  I have generally believed this to be true,
because people are fallible and not always able or willing to follow the
procedures.  It seems to be especially important in elections, in which
human frailty needs to be avoided and where tamper-resistant and
tamper-evident audit trails are essential.

There were of course critics in the hearing who believe that the
technological study was lacking in reality: for example, it was inherently
incomplete because only 3 of the 9 systems currently in use in California
were included; it did not adequately address procedural issues, which might
compensate for the security and privacy protection vulnerabilities that the
TTBR was intended to identify; it failed to caveat the vulnerabilities with
an assessment of the risks of exploitation of the vulnerabilities.  (On the
other hand, RISKS readers are familiar with our persistent warnings about
the risks of flawed quantitative risk assessment.)  One complaint was that
the effort was a waste of time, because no malware was detected.  (However,
the study never attempted to look specifically for malware.  I would presume
that the software provided by the vendors was free of intentional malware,
and furthermore, given the demonstrated vulnerabilities, installing malware
would not be at all difficult — either in the development process or
subsequently!)  Several election officials reported being completely happy
with the electronic systems, and claimed that there have never been any
problems.  (But many would-be problems with DREs can be undetectable.)

All in all, I believe that Secretary Bowen's desire for a top-to-bottom
review of the entire election process will benefit from a better
understanding of the technological vulnerabilities — even though they
certainly represent just one piece of the overall puzzle.

Earthquakes and O rings (via Dave Farber's IP)

<Rod Van Meter <>>
July 23, 2007 2:44:58 AM EDT

  [Another example of the globality of local risks...  PGN]

By now everyone has heard of the M6.8 earthquake up in Niigata last
week, a couple of hours north of Tokyo by shinkansen.  Ten people were
killed (all in their 70s and 80s, living in traditional-style houses
with heavy ceramic tile roofs that collapsed), 6,000 homes and buildings
destroyed, roads cracked and/or covered by landslides, a fault slip that
came to the surface and displaced a section tens of kilometers long by
something like a meter.  Net effect was (if I recall) to push one plate
16cm north.

The biggest newsmaker has been the effect on the Tokyo Electric Power
(TEPCO) nuclear plant, the largest in the world.  Leaks of radioactive
water, hundreds of barrels of radioactive waste tipped over (some broke
open and leaked), etc.  The most recent list of problems was 63 items
long.  Opposed to or in favor of nuclear power, TEPCO's slow response
and misinformation are creating a firestorm here.  The reactor itself
was designed to withstand only a 6.5; regulations were already under
revision to up that number, but weaker plants will be in use for

But you knew that, and I want to talk about piston rings, not nuclear

One small company in Niigata, Riken (no relation to the research lab
with a similar English name, I'm sure) makes 60% of the piston O rings
used by *all* of the car manufacturers in Japan.  Their plant was badly

Japan's auto makers, of course, are famed for their "just in time"
supply chain management.  I know people who have worked for
subcontractors, and the penalty for being late in supplying a critical
part can easily exceed $100,000 A DAY.

Toyota was forced to idle at least 27 plants, Daihatsu four, Honda and
other manufacturers several each.  Toyota is still shut down, as of this
writing (Monday, a week after the quake), and has an output loss of
46,000 cars or more.  I haven't seen a breakdown of the percentage
intended for domestic consumption versus export.

One interesting part of the response is that the auto manufacturers sent
teams of their idled workers to Niigata to help Riken clean up and get
back in production.  They were there helping by Thursday, despite the
transportation disruption, general shortages of goods including water,
food, and electricity, and risk of aftershocks.

One point and one question:

* A disaster it is, but a relatively local one, in a mid-level city
where events rarely make the world news.  And yet it will affect car
prices around the world, no doubt.  Just one more data point that the
world's economy is one large web.

* Toyota is a very well-run company, but they let this happen to them
with an important single-sourced part.  How good is YOUR disaster plan,
whether personal or corporate?  How good are your suppliers' disaster
plans, and their suppliers'?

IP Archives:

If this guy's telling the truth, he should never fly an airplane

<Erling Kristiansen <>>
Fri, 27 Jul 2007 20:44:09 +0200


  Wilson Felder, director of the William J. Hughes Technical Center in
  Atlantic City that is evaluating the system, told reporters that ADS-B is
  something all pilots should want in their panels.  He's flown with it
  personally for about 60 hours in his Cessna 172 and seen its value
  firsthand.  "It's saved my life at least three times," he said.
    <> issue 13.30e

[Must be a pretty lousy pilot if he needs to have his life saved 3 times by
a new gadget in 60 hours of flight!]

Three little zeroes

< (Mark Brader)>
Fri, 27 Jul 2007 13:57:50 -0400 (EDT)

Frank Van Buran is an accountant in New York.  He had an Exxon Mobil credit
card for his business, which was expiring.  He asked for two copies of the
new one.  He got them — and then 2,000 more.  Which were left in boxes on
his doorstep, where anyone could steal them, and which the company expected
him to destroy (it took hours).  Nothing seems to have been publicized as to
what exactly went wrong, but how could it be anything but computer-related?

Mark Brader, Toronto, | "Volts are like proof" --Steve Summit

Department of Health Proposes New Records System (EPIC Alert 14.15)

<EPIC News <>>
Fri, 27 Jul 2007 18:09:36 -0400

  [Excerpted from Volume 14.15, 27 Jul 2007.  PGN]

                              E P I C  A l e r t
                               Published by the
                  Electronic Privacy Information Center (EPIC)
                               Washington, D.C.

Department of Health Proposes New Records System

On June 26, the Department of Health and Human Services (HHS) proposed
to establish the National Disaster Medical System (NDMS) Patient
Treatment and Tracking Records System. The goal of this new records
system is to collect individual health data from people receiving
medical care provided by NDMS. The NDMS is a joint effort between HHS,
the Department of Defense, the Department of Homeland Security, and the
Veteran's Administration to provide additional resources to supplement
the public health and health care actions local and state governments
provide during emergencies.

Under the proposal, all persons treated by NDMS medical staff may have
their health data recorded and placed into a record system. This would
include demographic information as well as data regarding patient
diagnosis, treatment, and location.   This data may be obtained from the
individual patients, their physicians, or by access to the health
records of patients.

The NDMS Patient Tracking System contains various "routine use" disclosures
to all the federal agencies that share responsibility for evacuation and
treatment of patients under NDMS in order to ensure the highest level of
patient care possible.  Routine use disclosures may also be made to
consultants, contractors, and grantees who may require access to the health
records for business purposes related to the collection of the data.
Lastly, routine use disclosures will be made to state and federal agencies
as necessary to establish the benefit entitlement of the patient or to help
families locate evacuated family members.

The routine use disclosures contained within the NDMS Patient Tracking
System raise some privacy concerns that EPIC addressed in comments submitted
to HHS on July 26.  In the comments, EPIC stated that HHS should build
privacy protections into the system in order to ensure that patients receive
quality emergency health care without having to sacrifice their medical
privacy.  EPIC also urged HHS to clearly define how the system of records
notice will comport with the Health Insurance and Portability Act (HIPAA).
Any proposed routine use disclosures that violate HIPAA provisions should
not be included.

The NDMS Patient Tracking System collects data during emergency situations.
Due to the extreme nature of these events, privacy and safety can easily be
overlooked if they have not already been built into the system.  EPIC urged
HHS to consider the impact that the proposed routine use disclosures could
have on victims of domestic violence, as well as other displaced
individuals. After Hurricane Katrina, numerous evacuees faced instances of
personal information abuse. For this reason, EPIC encourages the use of
health data collected by the NDMS for patient treatment purposes only.

EPIC's Webpage on Hurricane Katrina and Identity Theft:

EPIC's Webpage on Domestic Violence and Privacy:

EPIC's Comments on NDMS Patient Treatment and Tracking Records System (pdf):

Department of Health and Human Services System of Records Notice (June
26, 2007) (pdf):

Comair Flight 5191 (RISKS-24.75)

<"Andrew Koenig" <>>
Thu, 26 Jul 2007 09:26:52 -0400

The report in RISKS 24.75 inadvertently pointed out an example of an
organizational antipattern--a kind of behavior that appears on the surface
to solve a problem but actually does the opposite.

The first sentence: "Comair pilot instructors testified that the crew of
Comair Flight 5191 committed numerous procedural violations relating to
briefing, taxiing, and 'sterile cockpit' rules (maintaining a
distraction-free cockpit) before taking off from the wrong runway..."

The fallacy is "post hoc, ergo propter hoc."  In other words, the crew
violated procedures, then crashed; so it is tempting to assume that the
violation caused the crash--despite the other problems cited later in the
article.  From a bureaucrat's viewpoint, this assumption can then be used to
make the procedures more restrictive, increase crew monitoring, etc., all
without proving that the procedures are actually useful.

Of course it is possible that the procedural violations caused the crash.
The antipattern--and one that is particularly tempting for bureaucratic
organizations--is to assume without proof that they did so, perhaps because
that assumption is the one that most benefits the organization.

Re: Accuracy of Hawkeye at Wimbledon

<David Alexander <>>
Fri, 27 Jul 2007 23:17:11 +0100

I read the submission from Mike Scott, regarding the errors he recalls
seeing in the Wimbledon tennis 'Hawkeye' line-call system last year and the
reliance of the Lawn Tennis Association upon it this year.

Mr Scott makes no allowance for the upgrades to the system, and testing,
that have taken place in the intervening 12 months. It would have been wrong
to rely on the system in its debut year because it certainly had some
accuracy issues. Those have now been largely resolved and the system was
used with overall approval from almost everyone It's not perfect, but it's
now more accurate than the 'mark one eyeball' of the line judges. There were
only 4 days out of the whole tournament where the challenges by players
against its performance were upheld more than 50% of the time, after
reviewing the footage.

This system has now been adopted for all of the Grand Slam tournaments
except France, which is a clay court surface.

David Alexander, Towcester, Northamptonshire, England

  [Challenges "upheld more than 50% of the time?"  That would be an
  intolerable error rate for many other situations, such as the Employment
  Eligibility Verification System or a terrorist watch list or automated
  face recognition, especially on a large scale.  On the other hand, some
  tennis players are known to have completely lost their cool as a result of
  egregious line calls.  One might think that the chair umpire would call a
  LET instead of letting a "definitive" simulation stand when the margin of
  error of the simulation may be much greater than the width of the actual
  ball suitably flattened by an overhead smash.  PGN]

Re: iPhone Security Flaw (Leeson, RISKS-24.75)

<Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>>
Wed, 25 Jul 2007 14:49:15 -0700

Given the ease of spoofing packets and the other games which can be played
on a wireless network, it wouldn't surprise me if the "person sitting next
to you" could exploit this to infect your system, e.g., by quickly bursting
a HTTP redirect (even before the remote site really completes the handshake
and realizes something is wrong) and then carrying out the exploit through
the redirected page.

Re: Risk with the Mac OS X 10.4.10 version number (Yip, RISKS-24.72)

<Richard Grady <>>
Sun, 29 Jul 2007 19:30:33 -0700

Microsoft had an analogous problem when MS-DOS was introduced, way before
the Windows system.  The solved it with the SETVER command.  This excerpt
explains the purpose of SETVER:

  Definition of: DOS Setver
  An external command starting with DOS 5 that updates a version table
  containing names of programs and the DOS version number they need to run
  under. Programs may test version numbers and function differently as a
  result (all DOS's are not the same), but some programs didn't plan on DOS
  5 and DOS 6 as future numbers. This command "fakes them out" by supplying
  them with the version number they need.,2542,t=DOS+Setver&i=41854,00.asp

Apple needs a version of the SETVER command.

Please report problems with the web pages to the maintainer