The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 50

Tuesday 26 July 2011

Contents

National Popular Vote—Needs Governor Brown's Veto
Rebecca Mercuri
New Court Filing Reveals How the 2004 Ohio Presidential Election Was Hacked
Bob Fitrakis via Monty Solomon
Software Designer Reports Error in Anthony Trial
Lizette Alvarez via PGN
Computer problems may trump debt ceiling
Mark Thorson
The British Phone Hacking Scandal
Peter Bernard Ladkin
Indian government uses Hotmail!
Ashish Gehani
Skype Vulnerability
Gene Wirchenko
Booz Allen systems breached
Jason Ukman via PGN
Do Not Track Not Being Followed
Grant Gross via Gene Wirchenko
Man gets 18-year sentence for harassing neighbor through Wi-Fi
Mark Thorson
Let's hope their code stays closed!
jidanni
Decoupling Civil Timekeeping from Earth Rotation?
Rob Seaman
Info on RISKS (comp.risks)

National Popular Vote—Needs Governor Brown's Veto

RTMercuri <notable@mindspring.com>
Sun, 17 Jul 2011 16:46:19 -0400

Please take action in informing Governor Brown why AB 459 must be
vetoed. We stopped this in 2006. It needs to be stopped again! RM.

  [This was apparently presented to the Governor at 1:30pm PDT on 25 Jul. PGN]

Rebecca Mercuri, National Popular Vote Returns to California, 17 Jul 2011

Back in 2006, the National Popular Vote (NPV) Proposal was thoughtfully
vetoed in California when its incarnation (as AB 2948) crossed Governor
Schwarzenegger's desk. Unfortunately, this legislative whack-a-mole has
returned again to the Eureka state, this time in the form of AB 459, now
awaiting signing by Governor Jerry Brown. This passage would inch the likely
unconstitutional movement ever closer to the 270 electoral votes necessary
to activate its bogus plan.

For those who are unaware of the dangers of NPV, essentially it will require
pooling of the popular votes for U.S. Presidential candidates, among the
states that have enacted the bill, requiring that all of these states
collectively cast their electoral votes for the singular popular vote winner
of the pool. In other words, the popular vote winner in each individual
state will be entirely IGNORED, if the pooled votes' result is not the same.

An early proponent behind the NPV movement was well-known Presidential
election "spoiler" John B. Anderson. Anderson is also an outspoken supporter
of Instant Runoff Voting (IRV), another tabulation method that disregards
the "first choices" of voters in favor of an aggregated result. Touted as a
way to "level the playing field" between the states, NPV supporters use
fuzzy math claims in order to reject other more plausible and fair schemes
(such as dividing the electors within each state as to their proportion of
the different candidate votes) that do not require "winner-take-all" or
interstate pooling methodologies. One need only recall the fuzzy math that
Hillary Clinton's camp used in attempting to exclude caucus states from the
national popular vote in the 2008 Democratic primary, in order to gauge the
level of shenanigans that are likely to occur once an enormous block of
electoral votes comes into play.

As I (and others) had earlier informed Governor Schwarzenegger "Already, the
westernmost states have less of a say in the Presidential elections due to
early disclosures of vote totals and polling data from the states in earlier
time zones. This bill further reduces the impact or even necessity of
Californians in the decision process. Even more dangerously, states that
have inadequate or inferior election equipment or auditing processes may
adversely influence the vote totals, such that an incorrect popular vote
could be used to determine California's electors." All of this is still true
with the current version of the bill.

Your help is URGENTLY needed now in informing Governor Brown why AB 459 must
NOT become law. The contact information is: Governor Jerry Brown, c/o State
Capitol, Suite 1173, Sacramento, CA 95814; Phone: (916) 445-2841; Fax: (916)
558-3160.

Rebecca Mercuri, Ph.D.


New Court Filing Reveals How the 2004 Ohio Presidential Election

Monty Solomon <monty@roscom.com>
Tue, 26 Jul 2011 10:47:56 -0400
  Was Hacked

Bob Fitrakis, *The Free Press*, 20 Jul 2011

A new filing in the King Lincoln Bronzeville v. Blackwell case includes a
copy of the Ohio Secretary of State election production system configuration
that was in use in Ohio's 2004 presidential election when there was a sudden
and unexpected shift in votes for George W. Bush.

The filing also includes the revealing deposition of the late Michael
Connell. Connell served as the IT guru for the Bush family and Karl
Rove. Connell ran the private IT firm GovTech that created the controversial
system that transferred Ohio's vote count late on election night 2004 to a
partisan Republican server site in Chattanooga, Tennessee owned by
SmarTech. That is when the vote shift happened, not predicted by the exit
polls, that led to Bush's unexpected victory. Connell died a month and a
half after giving this deposition in a suspicious small plane crash.

Additionally, the filing contains the contract signed between then-Ohio
Secretary of State J. Kenneth Blackwell and Connell's company, GovTech
Solutions. Also included that contract a graphic architectural map of the
Secretary of State's election night server layout system. ...

http://freepress.org/departments/display/19/2011/4239
http://freepress.org/images/departments/4237/ClevExIArchMap2004Ohioelection.pdf
http://freepress.org/images/departments/4237/SmartechRoutingOH04.pdf


Software Designer Reports Error in Anthony Trial (Lizette Alvarez)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 25 Jul 2011 19:03:51 PDT

Lizette Alvarez, *The New York Times* nat'l edition, A14, 19 Jul 2011 [PGN-ed]

In the Casey Anthony trial, the prosecution repeatedly emphasized that the
defendant had conducted 84 searches on the word `chloroform'.  However, John
Bradley (who created the CacheBack software that could have been used by the
prosecution to validate their use of the number 84) had declared during the
trial that the software actually came up with the number 1: only one such
search—through Google, which then led to a website which was itself
searched only once.  Bradley reported that finding to the court, but it was
never presented to the jury and the record never corrected.  Apparently, the
prosecution never attempted to verify their number, using that software 84.


Computer problems may trump debt ceiling

Mark Thorson <eee@sonic.net>
Thu, 7 Jul 2011 22:15:50 -0700

According to this article, the difficulty of reprogramming the computers at
the Treasury department may prevent that department from obeying the debt
ceiling, even if Congress doesn't raise it.

http://blogs.reuters.com/felix-salmon/2011/07/07/what-happens-on-august-3/

The risk is having a system designed under the assumption that the debt
ceiling will always be raised, compounded by the risk of having an incentive
against implementing the flexibility needed to accommodate the ceiling not
being raised.  Or maybe the risk is having Congressmen who believe there
really is a debt ceiling.


The British Phone Hacking Scandal

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Fri, 22 Jul 2011 08:08:45 +0200

I have been following the scandal closely, because of what it says or does
not say about modern Britain.

Everyone notes wryly the French "corporate state" being run by ENiAcs, but
few people have noted how Britain has reverted to being run by Oxbridge
graduates - this time, indeed, by people who were once what we used to call
"little rich kids", former members of the Bullingdon club (look it up in
Wikipedia). Indeed, five members of the current government went to my very
college. Now, I am moderately attached to and supportive of my college, but
I am also very aware of how one's upbringing affects one's attitude to life
and am skeptical that people who were as financially and socially privileged
as some of these can understand, even begin to solve, issues to do with
Britain's poor and underprivileged, or the structural-economic issues
involved with Lancashire, Yorkshire, Northumberland and Durham, or with
Scotland, indeed with any parts except London and enclaves of wealthy
people. Or even figure out what is right and what is wrong with the NHS, or
with state secondary education, neither of which any of them have ever had
to experience.

I, personally, believe that the NHS and the state education of the sort I
received are two of the great achievements in Britain of the last
century. And I do have personal experience of three health systems, and
three university systems, as well as intimate knowledge of features of
school systems, over decades in three very different countries - and of
course three newspaper systems - so I like to think my perspective is
informed.

Press first. I think the British press has given up its former partial role
as informer and arbiter of social reality (I am not quite sure how to phrase
it - the experience of reading a newspaper article and knowing you were
getting objective and moderately complete information through your reading
it) - a role which papers such as the NYT, Washington Post, and in Germany
FAZ and SZ still play, and which at least The Times used to play in GB and
no longer does (for example, The Times's extremely poor and quite
poorly-opinionated coverage of AF447, as compared with that of the NYT).
Now, the Brit/American Roger Cohen, who writes columns for the NYT and is
almost always worth reading, had an interesting perspective. A week ago, he
argued that Rupert Murdoch had been good for the British press, on the basis
that he had kept it alive and thriving at a point at which it could well
have died (he suggests that The Times would likely have disappeared were it
not for Murdoch). I think much of that may well be right - it is hard to see
how the newspaper business could have survived, given the then-demands of
the printers' unions, and Murdoch single-handedly changed that
situation. But the daily printed word seems to have become much less
trustworthy in the UK in a way in which, for example, the best newspapers
elsewhere (NYT, WP, SZ, FAZ) have not. Even the WSJ, another paper which can
be argued to have been Murdoch-rescued, has not succumbed. There just seems
to be something about the British press in which I suspect Murdoch&family to
have significant influence over content.

The NHS is being slowly destroyed, I think, through successive poor policy
and management over decades, and I think that state secondary school
education has been on the down for decades. I had some hopes for the
university system, which when I entered it was scholastic-inclined and
elitist, with intake some very few percent of the population, and after some
culture shock at entering a system which took some few percent of a very
different population, came to see the enormous advantages of a
higher-education system which addressed over 50% of school leavers (in
universities and community colleges, in almost all of which one could do the
first year or two of any university coursework at - then - no cost). So I
had hopes, for a decade or two, for the English university system, but
perceiving the conditions under which my English colleagues now work, and
what has happened to courses and coursework and now student fees, I can't
any longer say that I think things have improved. What I can say is that for
younger academics at the start of their careers the system is still
superior, more humane and more encouraging, than most or all of those in
continental Europe, or even the US. So that remains a beacon of hope (sorry
for the cliche). But for the general university situation, I can't see that
privileged rich kids can have much personal insight into the matters that
count: who should be going to university, why, and under what
conditions. And without personal insight and experience, I don't see how one
can distinguish policies that might work from those that won't. I can't see,
for example, any 18 year old who has been trying to manage a couple of quid
a week pocket money being able to make a well-informed decision that going
into debt for 9,000 per year plus living expenses is going to be at all
worth it for hisher future life. Maybe so for, say, law, microeconomics or
engineering, but not for, say, Eng. lit., Latin&Greek, French lit., German
lit., philosophy, or those other courses of study which one might imagine
would give a future lawyer, politician or civil servant some perspective on
the variety of life with which they will be dealing and train some important
skills such as producing a coherent argument, and being able to write
decently. In contrast, I *can* see that, very easily, for young Americans in
the same position. Let me just say that money plays a different role there;
enough that it was part of my culture shock when I got there.

So what is significant in this scandal?

1. The extent to which it has become clear how Britain is run by elites,
many of whom appear to move in the same social circles. At least Blair used
to hob-nob with rock stars, most of which are self-made people who were not
financially privileged when they started, and probably still remember what
life was like with mum and dad trying to figure out if the family could
afford to go on holiday that year, rather than what fun they used to have in
the Bullingdon club. But one cannot imagine either him or Brown regularly
lunching and partying with, say, the Gallagher brothers.

2. The extent to which it has become clear how British life is influenced by
those elites. You'll find articles about Paris Hilton's, Lindsay Lohan's and
Britney Spears's latest jaunts in the NYT also, but you will also find
technical details of GE Boiling Water Reactors and why they are susceptible
to this-and-that. The German press will point you to technical documents of
the German regulator and safety watchdog available on the WWW. Whereas one
will search the British press fruitlessly for any details concerning British
nuclear power plants.

3. The extent to which the police appear to have been influenced by those
elites. When I grew up, the bobby and the doctor were examples of public
servants who performed useful functions largely independently of anything
and anybody else (although of course there were always corrupt bobbies and
incompetent doctors). Wednesday, I read through the Home Affairs Select
Committee report and was astonished at the police behavior, which appears to
be collusive to an extraordinary extent at the highest levels. But maybe
those who have actually lived in Britain in the last two decades are less
astonished?

4. The extent to which the old trope "I'm the top guy. I didn't know
anything about what was going on lower down" is nowadays used as a *defence*
of one's (in)actions. Thirty years ago, it was the major reason for
*resigning*! (As indeed Yates and Stephenson have done - so it still is to
some extent. And Hayman got hammered by the Home Affairs Select Committee
when he tried to use it, so someone still remembers the "old days".)

5. I am, though, pleased to see the effectiveness of Select Committees.
James Murdoch saying he had been advised by his consultants to tell the
truth (oh, well, nice to know you get advice from wise people,
Mr. Murdoch!).  And two days later Crone and Myler contradicting his
"defence" as in point 4.  Indeed, it is hard to believe any business person
agreeing to settle a privacy-invasion case for ten times the going rate
(Mosley won 60,000 against the NOTW in court at about the same time, and
even that was up to ten times the award of most successful privacy-invasion
suits), plus full legal expenses, without asking why. I think that makes
James Murdoch toast, business-wise, whatever the truth turns out to be. I
suspect he may even have to work a little to stay out of jail, but see point
3 above. So even though they may be pocketing taxpayers' money to have their
moats cleaned, some politicians are still able to do a decent job on *other
people's misdemeanors*.

6. There are the kinds of things which either makes one regret that one
didn't go into politics, or very relieved that one stayed out. The financial
collapse three years ago (which, by the way, I though was brilliantly
handled by Gordon Brown, alone amongst Western leaders). But there are also
the kind of things which lead me to general despair. This is one of
those. It's a "time to emigrate" moment. Except that I did, and now I'm
running out of places. Canada? It's cold and there's that bully to the
south. Australia? I'm not sure I have the energy to learn another new
language. New Zealand? All those sheep! But I'd feel at home with the
earthquakes.

7. Maybe it's time to form a new political party for those who work hard,
pay their taxes, and expect them to go somewhere useful like health care,
care of the elderly, education, effective oversight of finance and critical
infrastructure, public transportation, and effective urban
reinvigoration. (Germany at least gets the last two right.) Wait a minute!
Didn't we have one of those? What happened to it?

Peter Bernard Ladkin, Professor of Computer Networks and Distributed Systems,
Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de


Indian government uses Hotmail!

Ashish Gehani <gehani@csl.sri.com>
Tue, 19 Jul 2011 10:05:19 -0700

This may be of interest to Risks readers:

http://www.businessweek.com/news/2011-07-18/india-government-s-use-of-hotmail-gmail-recipe-for-disaster-.html

  [The outsourcees are outsourcers.  Outsorcery is riskful.  PGN]


Skype Vulnerability

Gene Wirchenko <genew@ocis.net>
Tue, 19 Jul 2011 12:52:57 -0700

Jeremy Kirk, IDG News Service, InfoWorld Home, 15 Jul 2011
http://www.infoworld.com/d/networking/researchers-finds-dangerous-vulnerability-in-skype-138

Update: Researcher claims dangerous vulnerability in Skype.  The flaw could
allow an attacker to reset a Skype user's password and take control of their
account

A security consultant has notified Skype of a cross-site scripting flaw that
could be used to change the password on someone's account, according to
details posted online. Skype said it would issue a fix next week. ...

  [Fixed by now?  PGN]


Booz Allen systems breached (Jason Ukman)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 12 Jul 2011 2:28:35 PDT

Anonymous claims it obtained military data in breach of Booz Allen systems
Jason Ukman, *The Washington Post*,  11 Jul 2011
<http://www.washingtonpost.com/jason-ukman/2011/03/02/ABr5GIQ_page.html>

The hacker group that calls itself Anonymous claimed Monday that it had
infiltrated the servers of Booz Allen Hamilton and obtained tens of
thousands of e-mail addresses and other sensitive data for military
personnel.  In a new post on PirateBay, a site that hackers use to
distribute vast caches of data, the group dubbed the leak Military Meltdown
Monday.  It claimed that it was surprisingly easy to hack into Booz's
systems and secure—90,000 military emails and password hashes.  The data
appeared to include e-mail addresses, as well as encrypted versions of
passwords.  <http://thepiratebay.org/torrent/6533009>

“In this line of work you'd expect them to sail the seven proxseas with a
 state-of-the-art battleship, right?'', the Anonymous post said in
 describing the firm's network defenses.  “Well, you may be surprised as
 were when we found their vessel being a puny wooden barge.''

Asked for comment, a spokesman for Booz directed The Washington Post to a
tweet by the company: “As part of BoozAllen security policy, we generally
do not comment on specific threats or actions taken against our system.''
<http://twitter.com/#%21/BoozAllen/status/90504500141506560>

Because the passwords were encrypted, one of the greatest dangers of the
leak may be that the e-mail addresses could be used to contact military
personnel under false pretenses and lure them into revealing their
unencrypted passwords.

Booz, headquartered in Tysons Corner, is a major contractor for the Pentagon
and Department of Homeland Security.

Anonymous and its spin-off group, LulzSec, have claimed responsibility for a
string of attacks against private firms and government agencies. Earlier
this month, Anonymous claimed to have hacked the systems of a West
Virginia-based IT security company and acquired data from the Army, the
Navy, the Department of Justice and NASA.
<http://www.washingtonpost.com/blogs/faster-forward/post/anonymous-releases-more-us-government-data-after-arrests/2011/07/08/gIQA7YAj3H_blog.html>

  [*The NY Times* has an article on 26 Jul 2011 on how the government is
  going after these folks.  PGN]  <My squib was accidentally attached
  to the wrong item.  Corrected in archive copy.  PGN>


Do Not Track Not Being Followed (Grant Gross)

Gene Wirchenko <genew@ocis.net>
Tue, 19 Jul 2011 12:48:52 -0700

Is anyone surprised about this?

Grant Gross, IDG News Service, *InfoWorld*, 15 Jul 2011
Ad networks not honoring do-not-track promises
Some NAI members continue to leave tracking cookies on computers of
those who have opted out of targeted ads, a study says

Some online advertising networks continue to track Web users after tracking
opt-out requests, even though the networks have promised to honor those
questions, according to a new study from Stanford University's Center for
Internet Society.  Eight members of the Network Advertising Initiative, a
cooperative of online marketing and analytics companies, promise to stop
tracking people who use the NAI's service to opt out of targeted
advertising, but continue to leave tracking cookies on those people's
computers, according to the study, published this week. ...


Man gets 18-year sentence for harassing neighbor through Wi-Fi

Mark Thorson <eee@sonic.net>
Wed, 13 Jul 2011 20:45:50 -0700

To get revenge on his neighbor, an ex-computer technician bought a Wi-Fi
hacking program, broke into his neighbor's network, and carried on a 2-year
campaign of harassment including making threats against vice-president Biden
that the Secret Service traced to the neighbor's IP address.
  http://www.dailymail.co.uk/news/article-2014556

  [I'm wondering what the program does that makes hacking a Wi-Fi network so
  easy.  MT]  [No surprise here.  PGN]


Let's hope their code stays closed!

<jidanni@jidanni.org>
Wed, 20 Jul 2011 08:11:32 +0800

Smuggled out from a certain closed source project I help with:

"...Welcome to the club :-) Had big issues reproducing it as well, but
finally were able to by filling up my inbox with a bunch of fresh and
unanswered requests. The problem was caused in the code part that is
responsible for generating the expiring-request-warning-list in the side
bar and started a chain-row-effect by crashing the translation engine
which at the end of the chain scrambled the correct handing of
interactions with the reply buttons. So this bug wasn't an issue for all
the user base, just for the ones with a lot of unanswered requests. Cheers!"

Let's hope their code stays closed.  [or bombarded with requests?  PGN]


Decoupling Civil Timekeeping from Earth Rotation?

Rob Seaman <seaman@noao.edu>
Tue, 26 Jul 2011 09:58:34 -0700

This meeting announcement is about as broad a computing issue in its impact
as any, and has received little attention outside of fields like astronomy
in which an obvious Y2K-like crisis looms.

Announcement for "Decoupling Civil Timekeeping from Earth Rotation"
Exton, PA  USA, 5-6 Oct 2011

Researchers and engineers have organized a meeting on the proposed
redefinition of Coordinated Universal Time (UTC).  Contributions are
solicited:
        http://futureofutc.org/

There will be a final vote at the International Telecommunication Union
assembly in Geneva in January 2012 whether to cease issuing leap seconds.
This proposal has been discussed previously (e.g., RISKS 24.79 and 26.43),
but no public meeting has been held since 2003.  The agenda will focus on
impacts of the change and possible engineering remediation strategies.

For more details, the International Earth Rotation Service has =
circulated the announcement:

        http://data.iers.org/products/2/14839/orig/message_191.txt

There is a related article in the current issue of *American Scientist*

http://www.americanscientist.org/issues/feature/2011/4/the-future-of-time-utc-and-the-leap-second
        (preprint: http://arxiv.org/pdf/1106.3141)

With no leap seconds, UTC would no longer provide actual Universal Time.
Systems that previously assumed UTC was UT, will need to distinguish the two
by introducing the correction known as DUT1.  While Systems that already
include DUT1 will need to allow for it growing past the current 0.9s
Y2K-like limit.  The proposal also eliminates the current distribution
scheme for DUT1.

Rob Seaman, National Optical Astronomy Observatory, Tucson, AZ

Please report problems with the web pages to the maintainer

Top