Relating to Steve Bellovin's ``Deploy first, test later'' (RISKS-24.83), a similar fiasco has been afflicting employees in the Los Angeles Unified School District (LAUSD) since early this year. LAUSD is the second largest K-12 public school system in the nation. Some eight months after "going live" with their new payroll system, employees are still receiving incorrect paychecks or no paychecks at all. The administration does not yet know whether correct W2 forms will be issued in January. Employees retiring cannot get correct pension benefits. Of course, when the new system was deployed, there were no contingency plans to roll back to the prior system. By now (after a delay of months), a roll-back is likely to be impossible. David E. Ross <http://www.rossde.com/> [On 1 Oct 2007, an NPR report mentioned that Deloitte Touche had received $95M for the original system, which did not work, and that another $10M had been spent on contracts aimed at fixing the system -- which to date still does not work. PGN]
I haven't seen this talked about, although there have been a few blog comments. A Sep 24 article in *The Washington Post* summarizes research done by Dr. Jennifer Lerner at Carnegie Mellon on individual perceptions of risk. Not surprisingly to readers of RISKS, people dramatically misjudge risk - but what was surprising to me is how they did it in contradictory ways. WashPost says "Lerner found that anger and fear systematically bias people's risk estimates in opposite directions. Anger causes people to underestimate risks, which may be why drivers in the grip of road rage confidently attempt perilous maneuvers that place themselves and others in danger. By contrast, people who are afraid overestimate risks." The *WashPost* article also discusses research by psychologist David Mandel of Defense Research and Development Canada, noting "While psychology is not much use in predicting the future when it comes to terrorism, what it can do is highlight errors in thinking. Mandel asked people after the Sept. 11 attacks what they thought the risk of a major terrorist attack would be in the next two months. He then asked his volunteers to estimate the risk of an attack specifically by al-Qaeda and the risk of an attack by a completely separate group. Mandel found that when he totaled a person's responses about the likelihood of each of the subdivided possibilities, their sum was greater than the person's guess about the overall likelihood of a terrorist attack." Also, people misconstrue their own risk vs. the risk to others: "People invariably see themselves as being at lower risk than the average person -- they guessed that they had a 1-in-5 chance of being hurt but that others had a 1-in-2 chance of being hurt. Obviously, these statistics cannot be true for everyone." So to bring this back to RISKS, I wonder how these psychological results apply to technology risks. Do we underestimate the risk of cyberattacks and take unnecessary risks (e.g., knowingly going to dangerous web sites, not running the latest security software) because we think we're immune as security professionals? Or are we overestimating our risk because we're afraid? I don't have any answers, but the article made me think about risks and RISKS. http://www.washingtonpost.com/wp-dyn/content/article/2007/09/23/AR2007092300915.html
A software update to Apple's iPhone on Friday disabled third-party applications and rendered iPhones that had been unlocked completely unusable. [Source: Katie Hafner, *The New York Times*, 29 Sep 2007] http://www.nytimes.com/2007/09/29/technology/29iphone.html?th&emc=th
Judge Voids Election Results Over E-Voting Results That Couldn't Be Audited Apparently a judge in Alameda County, California, has voided some election results after the e-voting tallies from Diebold machines couldn't be audited. The vote was on a controversial ballot measure, where the end result was quite close. [Source: Techdirt, 2 Oct 2007, thanks to Dave Lesher] http://techdirt.com/articles/20070930/001319.shtml
On 28 Sep 2007 the Dutch government suspended all voting by voting machines. In a report it was found that the systems were unsafe, not controllable and did not allow recounting. So while most of the country had converted to voting computers, the next vote will again be with a red pencil. (Amsterdam was late in conversion, so I only voted once with a machine, but that machine was already disallowed on the next vote, so we got back to pencil early.) The major problems seen are: 1. There is no way to verify that a machine runs a version of the software that is approved. 2. There is no way to recount if there is a dispute. The recommendation of the commission that looked into it is to wait for voting machines that print out a paper recording the vote that you put in a box. When counting starts, the papers from the box are collected and another machine does the counting. This indeed would reduce a lot of paper work (I have had A2 format forms where I should make one circle red). And there is a clear paper trail, so if a counting machine is not trusted, counting by hand is always possible. I think the recommendations are pretty risk-aware, let the machines do what they can do, but leave a full controllable trail. Aside: the size of the voting papers is because almost all elections include fifteen to twenty parties, with up to 50 persons on the list. And you have to choose one of those. And, PS, it is rumoured that the producer of the Dutch voting machines (or one of its employees) has edited the Wikipedia page. And finally, Amsterdam (with red pencil voting) had its final results long before other communities that did use computer voting on the last vote. dik t. winter, cwi, kruislaan 413, 1098 sj amsterdam, nederland, +31205924131 home: bovenover 215, 1025 jn amsterdam, nederland; http://www.cwi.nl/~dik/
[...] The whole issue of voting machines will be reconsidered from scratch. Look at "www.WijVertrouwenStemcomputersNiet.nl" for more information, or look at government sources or newspapers like www.nrc.nl and www.trouw.nl, with the search term "stemcomputers" and "nedap". Eric T. Ferguson, van Reenenweg 3, 3702 SB ZEIST Netherlands tel 030-2673638
I noticed I was quoted in RISKS-24.71, and thought you might want an update. The BBC interview seems like ages ago, but it was just before the last presidential election. First, the laws have since changed and all of our state of Virginia is looking into new machines. I've only heard bits of this, but I suspect we'll all hear much more in the coming months. Second, I'm not "the election official." I'm a seasonal employee at the Office of Elections. There are plenty of people who know more about election machines, e-voting, laws, and elections in general than me. They are full-time staff at the Office of Elections. Third, most of the reporters who interviewed us that day got their facts wrong. For starters, have you ever heard an American say "tick" in this context? We say "check" or "checkmark." One newspaper stated my name as Miss Blanche Kapustin, right next to a photo of my hand on the machine's screen, displaying my wedding ring. Some misspelled my name. And many took bits and pieces of what we said and twisted it out of context. For example, one neglected the word "not" in a sentence. That totally changed the meaning. In any case, if you have any questions, feel free to e-mail me at firstname.lastname@example.org. But please disregard anything you read in the press. It's outdated, but even at the time, most of it was obviously misquoted.
It appears that the only failure in Memphis was the comprehensive communication system, which appears to put a lot of eggs in one somewhat fragile basket. In the olden days, there were separate redundant sets of comm lines for - receiving radar reports from the sensors, - co-ordinating with other facilities, and - talking to the aircraft. If the radar lines went down, center could still talk to the pilots and the next center. FTI, the Federal Telecommunications Infrastructure program, replaces all of these with a single, demonstrably-not-sufficiently-redundant pipe. It seems to have been taken down by a single board failure. Insert appropriate jumping-up-and-down here. Oh, I may have left an 'r' out of the subject line. For the technician's union take, see http://www.newsmgr.com/publish/article_911.shtml
I have received a number of enlightening responses to my submission about on-line property assessment databases in RISKS 24.82. I would like to share these and my responses to them in turn. One respondent disputed my claim that before these databases were put on-line, the corresponding paper records were indexed by address rather than name. He wrote, "I don't think that is precisely true with respect to the land records. Deeds are indexed by grantor/grantee, not by street name/number." I may have been mistaken in my belief that paper records were not indexed by grantee. However, I submit that it's rather easier for someone with nefarious intent to sit in front of a computer for an hour searching registries on-line than for him/her to travel in person to registries of deeds all over the state / country and start pulling books off the shelf to find someone. Yes, the information was always public (a point made by other respondents), but it was not always so easy for the public to gain access to it. The information can and should be sufficiently accessible for people who have a real, legitimate need to access it, but it should at the same time be sufficiently *in*accessible to dissuade people whose need is not legitimate. ** Another respondent asked if I knew about www.zabasearch.com and www.intelius.com, both of which (along with others, I'm sure) "provide lots of name-based info derived from public records." I am indeed familiar with these services, although I haven't ever paid them money to find out just how much information they are able to uncover. As my respondent noted, the information they provide is derived from public records, so this goes back to the issue which prompted my initial submission to RISKS -- the level of information available in the public records is itself a concern. ** On a related note, one respondent noted that there numerous companies which have made a business out of sending ``data moles'' in person to registries and other government offices to grovel through paper records and capture their contents into private databases which can then be used and sold for various purposes (e.g., I've received numerous solicitations which identify the amount of my existing mortgage and the lien holder, and I recently received an official-looking letter offering to provide me with a registered copy of my deed (which of course I already have) for $60). He reasoned that since these databases already exist and are accessible for a fee, it's reasonable for the government offices to make the data available themselves for free, to ensure equal access to it. I see two flaws in this argument: 1. It presupposes that we should in fact be allowing private companies to collect and disseminate the data. Perhaps the right answer is not to allow everyone to access it since these private companies already are, but rather to restrict access for these private companies as well. It seems to me that it would be virtually impossible for such companies to do business in Europe, given the strict privacy laws there. With identity theft such a huge problem nowadays, it is not obvious to me that the European model isn't closer to correct than ours. 2. These private companies don't give away the data for free; they're doing the data collection to make money from it, so they charge for it, and even a minimal fee for access is a decent barrier for dissuading casual use of the data for nefarious purposes. It may in fact be perfectly reasonable to allow third-party databases of this data to exist (although, as noted above, that's an open question), as long as there are such barriers. In my opinion, the data in land and assessment records should be freely accessible on the Internet without any names associated with it. If you want to look something up by name, there needs to be some sort of barrier to doing that, although I don't have a firm opinion about the nature or height of the barrier. Some possibilities include fee-based access; appearance in person at the registry; and being required to show cause for such a look-up assuming that it isn't for your own data. ** Two respondents mentioned Florida's Sunshine Law, which requires the vast majority of government information to be public and accessible. While I understand and to some extent agree with the motivation behind this law, even this law has exceptions to address safety and privacy concerns, and I would argue that being able to search land records by name should be such an exception. Tanner Andrews, a lawyer from Florida, expounded at length about why the information which concerns me should be public. Most of the points he made in his response are irrelevant to my point, since they do not depend on the information being searchable by name, and thus do not contradict my claim that whatever minimal benefit there might be from such searchability is outweighed by the risk. The closest that Mr. Andrews came to explaining why the database should be searchable by name was this: "Here in Florida, most of the property appraisers are elected. If you suspect some partiality, you ought to be able to see what property is owned by the people who gave the statutory maximum to the campaign. You ought as well to be able to decide whether those properties appear to be especially favorably assessed. In areas where the appraiser is appointed you may wish to do a similar investigation of properties owned by the people doing the appointing." I do not find this argument convincing, because the reality is that the people doing such investigations are not private citizens but rather public advocates, journalists, etc. These people have the time and resources to find out where "the people who gave the statutory maximum" and "the people doing the appointing" live. Once you know where these people live, you can look up their property values by address, which I've never argued should be impossible. Please see my earlier point about making the information both sufficiently accessible and sufficiently inaccessible. Mr. Andrews also wrote: "Furthermore, a dedicated stalker can do the same things for the lady of his misguided affections. The computer search may save him the half-hour in the Clerk's office, but someone who has time to stalk probably has time to visit the courthouse as well." This is true if a stalker already knows the town or city in which his/her target resides. However, as I've noted previously, the ease of access to these data on-line makes it possible for someone with nefarious intent to search, quickly, easily and for free, not just a single town or city, but an entire state or indeed multiple states. This is hardly comparable to the example Mr. Andrews gave of a "half-hour in the Clerk's office." ** Another respondent mentioned the possibility of keeping one's name out of land records by assigning the property to a trust rather than to individual owner(s). Trusts are complex legal instruments that cost money to establish, and I hardly think that individual property owners should be burdened with that expense just to keep their names out of on-line property databases. Furthermore, the task of educating at-risk individuals of the need to utilize such trusts to conceal their location is a daunting one. ** Finally, one respondent informed me that California has legislation prohibiting the public dissemination of property records with owner names. I have not been able to verify this, but if it's true, then it indicates that at least one state understands this problem and has taken steps to deal with it. It's not surprising that it's California; they frequently lead on things like this.
[Fortunately, Ken caught it. Maybe it was the "silly bad words" item? But AOL already had a bad rep for rejecting all sorts of good content. PGN]
Reinhard Kopka wrote of a "bad words" filter that triggered on partial word matches and replaced the partial match with a cleaner alternative. In a similar vein, the facility to talk with other players at your table on Partypoker.com triggers on a part of an innocent word partially matching a rude word, and so changes "full house" to "YYYY house", which would seem to be a little overzealous. [NOTE: Two out of four letters matching an offensive four-letter word? That really is overzealous. By the way, I changed the four Xs to four Ys in an attempt to avoid spam-filtering of *this* issue! PGN]
Please report problems with the web pages to the maintainer