The RISKS Digest
Volume 24 Issue 84

Wednesday, 3rd October 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


LAUSD payroll fiasco
David E. Ross
Assessing personal risk
Jeremy Epstein
Altered iPhones Freeze Up
Ken Knowlton
Alameda e-voting results tossed out
Dave Lesher
Dutch government suspends computer voting
Dik T. Winter
Eric Ferguson
Re: E-vote 'threat' to UK democracy
Blanche Kapustin
Re: Memphis center outage
Bill Hopkins
Re: On-line property assessment databases
Jonathan Kamens
AOL classified RISKS-24.83 as spam
Ken Knowlton
Re: Silly "Bad Words" filter
Gary Barnes
Info on RISKS (comp.risks)

LAUSD payroll fiasco

<"David E. Ross" <>>
Thu, 27 Sep 2007 16:56:28 -0700

Relating to Steve Bellovin's ``Deploy first, test later'' (RISKS-24.83), a
similar fiasco has been afflicting employees in the Los Angeles Unified
School District (LAUSD) since early this year.  LAUSD is the second largest
K-12 public school system in the nation.

Some eight months after "going live" with their new payroll system,
employees are still receiving incorrect paychecks or no paychecks at all.
The administration does not yet know whether correct W2 forms will be issued
in January.  Employees retiring cannot get correct pension benefits.

Of course, when the new system was deployed, there were no contingency plans
to roll back to the prior system.  By now (after a delay of months), a
roll-back is likely to be impossible.

David E. Ross <>

  [On 1 Oct 2007, an NPR report mentioned that Deloitte Touche had received
  $95M for the original system, which did not work, and that another $10M
  had been spent on contracts aimed at fixing the system — which to date
  still does not work.  PGN]

Assessing personal risk

<"Epstein, Jeremy" <>>
Fri, 28 Sep 2007 15:32:41 -0400

I haven't seen this talked about, although there have been a few blog
comments.  A Sep 24 article in *The Washington Post* summarizes research
done by Dr. Jennifer Lerner at Carnegie Mellon on individual perceptions of
risk.  Not surprisingly to readers of RISKS, people dramatically misjudge
risk - but what was surprising to me is how they did it in contradictory
ways.  WashPost says "Lerner found that anger and fear systematically bias
people's risk estimates in opposite directions.  Anger causes people to
underestimate risks, which may be why drivers in the grip of road rage
confidently attempt perilous maneuvers that place themselves and others in
danger. By contrast, people who are afraid overestimate risks."

The *WashPost* article also discusses research by psychologist David Mandel
of Defense Research and Development Canada, noting "While psychology is not
much use in predicting the future when it comes to terrorism, what it can do
is highlight errors in thinking. Mandel asked people after the Sept. 11
attacks what they thought the risk of a major terrorist attack would be in
the next two months. He then asked his volunteers to estimate the risk of an
attack specifically by al-Qaeda and the risk of an attack by a completely
separate group. Mandel found that when he totaled a person's responses about
the likelihood of each of the subdivided possibilities, their sum was
greater than the person's guess about the overall likelihood of a terrorist
attack."  Also, people misconstrue their own risk vs. the risk to others:
"People invariably see themselves as being at lower risk than the average
person — they guessed that they had a 1-in-5 chance of being hurt but that
others had a 1-in-2 chance of being hurt. Obviously, these statistics cannot
be true for everyone."

So to bring this back to RISKS, I wonder how these psychological results
apply to technology risks.  Do we underestimate the risk of cyberattacks and
take unnecessary risks (e.g., knowingly going to dangerous web sites, not
running the latest security software) because we think we're immune as
security professionals?  Or are we overestimating our risk because we're
afraid?  I don't have any answers, but the article made me think about risks
and RISKS.

Altered iPhones Freeze Up

<Ken Knowlton <>>
Sat, 29 Sep 2007 09:38:51 EDT

A software update to Apple's iPhone on Friday disabled third-party
applications and rendered iPhones that had been unlocked completely
unusable.  [Source: Katie Hafner, *The New York Times*, 29 Sep 2007]

Alameda e-voting results tossed out

<"Peter G. Neumann" <>>
Tue, 2 Oct 2007 14:05:51 PDT

Judge Voids Election Results Over E-Voting Results That Couldn't Be Audited

Apparently a judge in Alameda County, California, has voided some election
results after the e-voting tallies from Diebold machines couldn't be
audited. The vote was on a controversial ballot measure, where the end
result was quite close.  [Source: Techdirt, 2 Oct 2007, thanks to Dave Lesher]

Dutch government suspends computer voting

< (Dik T. Winter)>
Sat, 29 Sep 2007 02:06:38 GMT

On 28 Sep 2007 the Dutch government suspended all voting by voting machines.
In a report it was found that the systems were unsafe, not controllable and
did not allow recounting.  So while most of the country had converted to
voting computers, the next vote will again be with a red pencil.  (Amsterdam
was late in conversion, so I only voted once with a machine, but that
machine was already disallowed on the next vote, so we got back to pencil
early.)  The major problems seen are:

1.  There is no way to verify that a machine runs a version of the
    software that is approved.
2.  There is no way to recount if there is a dispute.

The recommendation of the commission that looked into it is to wait for
voting machines that print out a paper recording the vote that you put in a
box.  When counting starts, the papers from the box are collected and
another machine does the counting.  This indeed would reduce a lot of paper
work (I have had A2 format forms where I should make one circle red).  And
there is a clear paper trail, so if a counting machine is not trusted,
counting by hand is always possible.

I think the recommendations are pretty risk-aware, let the machines do what
they can do, but leave a full controllable trail.

Aside: the size of the voting papers is because almost all elections include
fifteen to twenty parties, with up to 50 persons on the list.  And you have
to choose one of those.

And, PS, it is rumoured that the producer of the Dutch voting machines (or
one of its employees) has edited the Wikipedia page.

And finally, Amsterdam (with red pencil voting) had its final results long
before other communities that did use computer voting on the last vote.

dik t. winter, cwi, kruislaan 413, 1098 sj  amsterdam, nederland, +31205924131
home: bovenover 215, 1025 jn  amsterdam, nederland;

Dutch government suspends computer voting

<"Eric Ferguson" <>>
Sat, 29 Sep 2007 01:40:50 +0200

[...] The whole issue of voting machines will be reconsidered from scratch.

Look at "" for more information, or
look at government sources or newspapers like and,
with the search term "stemcomputers" and "nedap".

Eric T. Ferguson, van Reenenweg 3, 3702 SB ZEIST Netherlands tel 030-2673638

Re: E-vote 'threat' to UK democracy (Lesher, RISKS-24.71)

<Blanche Kapustin <>>
Sun, 30 Sep 2007 04:07:19 +0200

I noticed I was quoted in RISKS-24.71, and thought you might want an update.
The BBC interview seems like ages ago, but it was just before the last
presidential election.

First, the laws have since changed and all of our state of Virginia is
looking into new machines.  I've only heard bits of this, but I suspect
we'll all hear much more in the coming months.

Second, I'm not "the election official."  I'm a seasonal employee at the
Office of Elections.  There are plenty of people who know more about
election machines, e-voting, laws, and elections in general than me.  They
are full-time staff at the Office of Elections.

Third, most of the reporters who interviewed us that day got their facts
wrong.  For starters, have you ever heard an American say "tick" in this
context?  We say "check" or "checkmark."  One newspaper stated my name as
Miss Blanche Kapustin, right next to a photo of my hand on the machine's
screen, displaying my wedding ring.  Some misspelled my name.  And many took
bits and pieces of what we said and twisted it out of context.  For example,
one neglected the word "not" in a sentence.  That totally changed the

In any case, if you have any questions, feel free to e-mail me at  But please disregard anything you read in the
press.  It's outdated, but even at the time, most of it was obviously

Re: Memphis center outage (RISKS-24.83)

<"Bill Hopkins" <>>
Fri, 28 Sep 2007 18:31:58 -0400

It appears that the only failure in Memphis was the comprehensive
communication system, which appears to put a lot of eggs in one somewhat
fragile basket.

In the olden days, there were separate redundant sets of comm lines for
- receiving radar reports from the sensors,
- co-ordinating with other facilities, and
- talking to the aircraft.

If the radar lines went down, center could still talk to the pilots and the next center.

FTI, the Federal Telecommunications Infrastructure program, replaces all of
these with a single, demonstrably-not-sufficiently-redundant pipe.  It seems to
have been taken down by a single board failure.

Insert appropriate jumping-up-and-down here.  Oh, I may have left an 'r' out
of the subject line.

For the technician's union take, see

Re: On-line property assessment databases (RISKS-24.82)

<"Jonathan Kamens" <>>
Mon, 24 Sep 2007 12:42:01 -0400

I have received a number of enlightening responses to my submission about
on-line property assessment databases in RISKS 24.82.  I would like to
share these and my responses to them in turn.

One respondent disputed my claim that before these databases were put
on-line, the corresponding paper records were indexed by address rather than
name.  He wrote, "I don't think that is precisely true with respect to the
land records.  Deeds are indexed by grantor/grantee, not by street

I may have been mistaken in my belief that paper records were not indexed
by grantee.  However, I submit that it's rather easier for someone with
nefarious intent to sit in front of a computer for an hour searching
registries on-line than for him/her to travel in person to registries of
deeds all over the state / country and start pulling books off the shelf
to find someone.

Yes, the information was always public (a point made by other
respondents), but it was not always so easy for the public to gain access
to it.  The information can and should be sufficiently accessible for
people who have a real, legitimate need to access it, but it should at the
same time be sufficiently *in*accessible to dissuade people whose need is
not legitimate.


Another respondent asked if I knew about and, both of which (along with others, I'm sure) "provide
lots of name-based info derived from public records." I am indeed
familiar with these services, although I haven't ever paid them money to
find out just how much information they are able to uncover.  As my
respondent noted, the information they provide is derived from public
records, so this goes back to the issue which prompted my initial
submission to RISKS — the level of information available in the public
records is itself a concern.


On a related note, one respondent noted that there numerous companies which
have made a business out of sending ``data moles'' in person to registries
and other government offices to grovel through paper records and capture
their contents into private databases which can then be used and sold for
various purposes (e.g., I've received numerous solicitations which identify
the amount of my existing mortgage and the lien holder, and I recently
received an official-looking letter offering to provide me with a registered
copy of my deed (which of course I already have) for $60).  He reasoned that
since these databases already exist and are accessible for a fee, it's
reasonable for the government offices to make the data available themselves
for free, to ensure equal access to it.

I see two flaws in this argument:

1. It presupposes that we should in fact be allowing private companies to
collect and disseminate the data.  Perhaps the right answer is not to allow
everyone to access it since these private companies already are, but rather
to restrict access for these private companies as well.  It seems to me that
it would be virtually impossible for such companies to do business in
Europe, given the strict privacy laws there.  With identity theft such a
huge problem nowadays, it is not obvious to me that the European model isn't
closer to correct than ours.

2. These private companies don't give away the data for free; they're doing
the data collection to make money from it, so they charge for it, and even a
minimal fee for access is a decent barrier for dissuading casual use of the
data for nefarious purposes.  It may in fact be perfectly reasonable to
allow third-party databases of this data to exist (although, as noted above,
that's an open question), as long as there are such barriers.

In my opinion, the data in land and assessment records should be freely
accessible on the Internet without any names associated with it.  If you
want to look something up by name, there needs to be some sort of barrier to
doing that, although I don't have a firm opinion about the nature or height
of the barrier.  Some possibilities include fee-based access; appearance in
person at the registry; and being required to show cause for such a look-up
assuming that it isn't for your own data.


Two respondents mentioned Florida's Sunshine Law, which requires the vast
majority of government information to be public and accessible.  While I
understand and to some extent agree with the motivation behind this law,
even this law has exceptions to address safety and privacy concerns, and I
would argue that being able to search land records by name should be such an

Tanner Andrews, a lawyer from Florida, expounded at length about why the
information which concerns me should be public.  Most of the points he made
in his response are irrelevant to my point, since they do not depend on the
information being searchable by name, and thus do not contradict my claim
that whatever minimal benefit there might be from such searchability is
outweighed by the risk. The closest that Mr. Andrews came to explaining why
the database should be searchable by name was this:

"Here in Florida, most of the property appraisers are elected. If you
suspect some partiality, you ought to be able to see what property is owned
by the people who gave the statutory maximum to the campaign. You ought as
well to be able to decide whether those properties appear to be especially
favorably assessed. In areas where the appraiser is appointed you may wish
to do a similar investigation of properties owned by the people doing the

I do not find this argument convincing, because the reality is that the
people doing such investigations are not private citizens but rather
public advocates, journalists, etc.  These people have the time and
resources to find out where "the people who gave the statutory maximum"
and "the people doing the appointing" live.  Once you know where these
people live, you can look up their property values by address, which I've
never argued should be impossible.  Please see my earlier point about
making the information both sufficiently accessible and sufficiently

Mr. Andrews also wrote:

"Furthermore, a dedicated stalker can do the same things for the lady of
his misguided affections. The computer search may save him the half-hour
in the Clerk's office, but someone who has time to stalk probably has time
to visit the courthouse as well."

This is true if a stalker already knows the town or city in which his/her
target resides.  However, as I've noted previously, the ease of access to
these data on-line makes it possible for someone with nefarious intent to
search, quickly, easily and for free, not just a single town or city, but
an entire state or indeed multiple states.  This is hardly comparable to
the example Mr. Andrews gave of a "half-hour in the Clerk's office."


Another respondent mentioned the possibility of keeping one's name out of
land records by assigning the property to a trust rather than to
individual owner(s).  Trusts are complex legal instruments that cost money
to establish, and I hardly think that individual property owners should be
burdened with that expense just to keep their names out of on-line
property databases.  Furthermore, the task of educating at-risk
individuals of the need to utilize such trusts to conceal their location
is a daunting one.


Finally, one respondent informed me that California has legislation
prohibiting the public dissemination of property records with owner names.
I have not been able to verify this, but if it's true, then it indicates
that at least one state understands this problem and has taken steps to deal
with it.  It's not surprising that it's California; they frequently lead on
things like this.

AOL classified RISKS-24.83 as spam

<Ken Knowlton <>>
Fri, 28 Sep 2007 18:29:09 EDT

  [Fortunately, Ken caught it.  Maybe it was the "silly bad words" item?
  But AOL already had a bad rep for rejecting all sorts of good content.

Re: Silly "Bad Words" filter (Kopka, RISKS-24.73)

<Gary Barnes <>>
Thu, 27 Sep 2007 23:29:35 +0100

Reinhard Kopka wrote of a "bad words" filter that triggered on partial word
matches and replaced the partial match with a cleaner alternative.

In a similar vein, the facility to talk with other players at your table on triggers on a part of an innocent word partially matching a
rude word, and so changes "full house" to "YYYY house", which would seem to
be a little overzealous.

  [NOTE: Two out of four letters matching an offensive four-letter word?
  That really is overzealous.  By the way, I changed the four Xs to four Ys
  in an attempt to avoid spam-filtering of *this* issue!  PGN]

Please report problems with the web pages to the maintainer