The RISKS Digest
Volume 7 Issue 81

Monday, 21st November 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Computerized voting problems in Toronto
Amit Parghi
o NH State Republican Convention Computerized Voting Standard
Kurt Hyde
o Ethics
Hugh Miller
o Re: Teaching "Ethics"
Brint Cooper
o Decompiled Source
Phil Karn
o Re: Risks of unchecked input in C programs
Henry Spencer
o Smart Roads
Robert Brooks
o IFF & UK Toll Roads
Nigel Roberts
o Re: "Electronic number plates"
Allan Pratt
o Re: UK vehicle-identification systems
John Haller
o Info on RISKS (comp.risks)

Computerized voting problems in Toronto

Amit Parghi <>
Sun, 20 Nov 88 18:13:44 EST
From _The_Globe_and_Mail_, Saturday, 19 November (reprinted w/o permission):
    Machine misses 1,408 votes, Toronto clerk wants recount by Sean Fine

  Toronto's city clerk is asking council to order a city-wide recount after
1,408 votes in Monday's [14 Nov.] civic elections went unread by sophisticated
new machines. [...]  "We want the integrity of the election to be upheld,"
deputy clerk Barbara Caplan said in explaining why all 16 city wards, plus the
Metro Toronto wards and trustee races, should be retabulated.  Ms Caplan said
the recount could affect the outcome of only one city race, the three-vote
victory for reformer Malcolm Martini over conservative Michael Walker in Ward
16.  As well, three school trustee races could be affected.
  But a battle may occur over the manner of the recount.  The clerk's office
wants to give the machines, purchased recently at a cost of $1.6 million
(Canadian), another chance.  Ms Caplan said the computerized vote-counting
machines were not to be faulted.  An error in the printing or cutting of
ballots put them "off- register," or off-line, meaning they could not be
scanned by the machine, she said.  In the recount, those ballots that are not
read by the machine would be tabulated manually, she said.  [...]
  In the city's closest race, which pitted Mr. Walker against Mr.  Martini, Mr.
Walker, a six-year veteran of council, was initially declared the victor Monday
night.  On Wednesday, the clerk's department discovered errors in manual
addition and Mr. Martini emerged the winner by three votes.  Now the entire
ward race is in question since 81 ballots were not read by the machine. [...]
  In no other city ward, and in none of the eight Metro wards located in the
City of Toronto, was the margin of victory smaller than the number of unread
ballots.  The number of ballots not read ranged from a low of 47 in Ward 4 to a
high of 237 in Ward 12.  [...]
  Under law, the ballots would have to be read in the same fashion - that is,
by the machines - as on election day, Ms Caplan said.  Only those ballots
rejected by the machines would be read manually.

NH State Republican Convention Computerized Voting Standard Resolution

Have Rdb Manuals — Will Travel 264-3839 MKO1-1/B02 <>
Mon, 21 Nov 88 12:32:19 PST
The following resolution was the only proposed resolution which passed at this
year's New Hampshire State Republican Convention:

   WHEREAS The State of New Hampshire has set  no  minimum  standard  for
   computer security in computerized voting, and

   WHEREAS The  state  of  the  art  in  computer  crime  has  progressed
   dramatically in the last few years to now include virus programs which
   can transmit themselves from one computer to  another  without  active
   participation by the computers' owners, operators, or users, and

   WHEREAS The State of New Hampshire has computerized voting  equipment,
   some of which:

    o  Does not have the ability to recount manually,

    o  Does not have the ability to recount at all,

    o  Uses  secrecy  of  internal  procedures  as  a  primary   security

    o  Does not give the voter the ability to  ensure  the  computer  has
       voted as instructed,

   NOW THEREFORE, BE IT RESOLVED that the Republican Party of  the  State
   of  New  Hampshire  calls  upon  the  Legislature  of the State of New
   Hampshire to enact legislation  that  would  establish  the  following
   minimum  computer  security  features  for  any  further  expansion of
   computerized voting or vote counting:

      Computerized  voting  equipment  must  either  produce  a  manually
      recountable   ballot   for   the   voter's   inspection   prior  to
      electronically casting the voter's ballot or use  as  its  input  a
      ballot which can be used in a manual recount.

Submitted by Kurt Hyde, Delegate from Weare.

This proposed standard is essentially the same one proposed at the first
National Symposium on Security and Reliability of Computers in the Electoral
Process at Boston University in August of 1986 (Co-chaired by Eva Waskell and

Many thanks to  the  RISKS  Forum  members  who  participated  in  the
development of this standard during 1985 and 1986.


Hugh Miller <>
Wed, 16 Nov 88 23:39:09 EST
     Stan Stahl, in RISKS 7.75, writes:

> The critical bottom line, and it is one that shouts out to us in the
> wake of the RTM worm, is that we absolutely must begin to take the
> teaching of ethics seriously.  Some school districts are beginning to do
> this and they are to be commended for it.  Perhaps if everyone were
> exposed to ethics courses, beginning in the early grades and continuing
> through computer ethics courses and business ethics courses, etc, then
> it would be clear `in the entire community what is and what isn't
> ethical behavior.'

     In my experience teaching ethics here and at McGill
University, such courses have little direct effect on the moral
behaviour of the students taking them.  About all that can be
expected — and this is the *maximal* result — is that the
students will be made aware of one more set of constraints they
must operate within: a code of professional ethics.  (In those
states which permit them.  Many don't.)  Like all such codes, the
extent to which they are taken seriously has much more to do with
upbringing, personality, generally accepted broad social norms,
peer pressure, etc., than with schooltime pedagogy.  Clever
people, or persons thinking themselves above or outside the
rules, always find excuses for circumventing them.  Scientific
pursuits in general, and mathematical/logical ones in particular,
due to the glamour and the cachet of difficulty attached to them,
encourage adepts in such beliefs.  The famous technological
imperative is at work as well: do what is "technically sweet"
first, and ask whether it was good after all once it's done.  The
novelist Walker Percy in one of his books quotes "a scientist's
prayer, if scientists ever prayed, which they don't: `Lord, grant
that my work lead to the betterment of the human condition, and
not the reverse.  Failing that, Lord, let it not lead to the
complete destruction of mankind.  And, failing that, Lord, please
don't let the end come before my article is published in
*Brain*.'"  And, frankly, the general culture we live in worships
at the  altar of Expediency, not Justice or Virtue, so one cannot
expect much help there.
     Further, most `ethics' instruction at the university level
with which I am familiar proceeds along lines so shallow and
analytical that it completely fails to engage the spirit of the
listener.  One doesn't have to be a devotee of Allan Bloom or his
ilk to see this.  However dedicated and forceful the teacher, the
material taught is so unchallenging and `conservative' (in the
sense of supporting the *status quo*) that even the very young
see through it and hit their mental channel-changers.  To explain
why this is so would require a long discussion, descending
occasionally into rant and tirade, of the practice of moral
philosophy in the English-speaking world in the 20th century, the
which I will spare us all.  Suffice it to say, the first ethics
course most students take is, in my overwhelming experience, the
     This is not to say that I oppose teaching ethics.
Obviously, if such teaching does nothing more than lower the rate
of mischief in general circulation by a little bit it is A Good
Thing.  I merely wish to point out the limitations of all such
pedagogy.  The teacher in *Stand And Deliver*, please note, was
NOT teaching ethics.

Hugh Miller, University of Toronto, MILLER@UTOREPAS.BITNET

Re: Teaching "Ethics"

Brint Cooper <abc@BRL.MIL>
Thu, 17 Nov 88 11:58:50 EST
Eric Roskos writes,

> In an Ethics course, the most you can do is discuss ethical paradigms, which
> include systems of ethics in which it is entirely acceptable to engage in any
> activity that benefits you ("situation ethics" are an example of this).

We're missing something in this discussion.  A few digests back, someone
observed that post-Watergate attorneys began taking ethics courses as part of
their training.  But I don't believe for a moment that the purpose was to
"teach" ethics to the attorneys.  It was simply to get on the record that the
attorney had studied ethics so that he could not later claim ignorance of
ethical concepts or their irrelevance to his/her professional conduct.  By
this, ethical considerations can now legitimately be raised in disciplinary

It may come down to this in Computing Science as well.

Decompiled Source (Re: RISKS-7.79)

Phil Karn <>
Thu, 17 Nov 88 13:02:35 EST
Some argue that the decompiled source code to the Internet worm shouldn't be
released because that would make it easier for someone to turn it into
something really damaging.

This is a specious argument.  Anyone can modify the worm's object file into
something very malevolent, and it doesn't even require the use of adb. Just
write an exit() that actually does "rm -rf /" followed by an infinite loop,
and link it to the worm object file using ld -r so it can be the subject of
another ld run.  I simply refuse to believe that I'm the only person to
think of something like this.

The only "sensitive" information contained in the worm source is the
security holes it exploits, and these are now very widely known.  The worm
is completely powerless without them, and you don't need the worm to exploit
in much worse ways a system that still has the holes. On the other hand,
there are a lot of people who have perfectly legitimate reasons for wanting
to see that code.  I, for one, would very much like to show my management
and our security staff exactly what it did (*and* did not) do.  Although I
personally have no reason to believe that the analysis prepared at MIT and
Berkeley is not complete, it is just not the same thing as having the actual
source in hand when trying to reduce the general paranoia level in others.


Re: Risks of unchecked input in C programs

Sat, 19 Nov 88 00:22:36 EST
A small error of fact in Bill Stewart's contribution:

>I've always been dissatisfied with the printf/scanf family - field widths are
>hard-coded in the format strings, with no way to parameterize them except
>building format strings on the fly...

Not true, and it hasn't been true for a long time.  A field width or
precision specification of '*' means "pick up an integer from the parameter
list at this point".  Either Bill has a very strange version of Unix or he
just missed this in the manual page — it's been there at least since V7,
which came out nearly ten years ago.

                                     Henry Spencer at U of Toronto Zoology

Smart Roads

Robert Brooks <>
Fri, 18 Nov 88 15:35:22 pst
Many articles have appeared recently about "smart roads"; systems in which
communication of some sort between roads and vehicles enable such things
as automatic toll assessment, route planning, traffic jam avoidance, etc.
Much concern has been expressed about the Big Brother potential of such
systems.  But this is by no means an essential hazard.  The transponders,
barcode tags, or whatever could be purchased anonymously, and authorization
to cross various toll points n times purchased in advance, like postage
stamps.  Attempting to pass without prepaid authorization triggers a
buzzer, light, gate, or something directing one to a conventional toll
booth.  Those who proceed anyway are chased down like someone who goes
through an ordinary toll booth without paying.

Any technological advance is greeted by cries of "it won't work" and
irrational fears.  Smart roads are no exception.  We should indeed protest
implementations of the technology which are invasive to privacy, but
suppress Luddite urgings to abandon it altogether.

IFF & UK Toll Roads

Nigel Roberts, G4IJF <>
17 Nov 88 17:25
IFF (Identification Friend or Foe) and Toll Roads in the UK

Fitting IFF to cars

  Chaz Heritage and others raise genuine concerns about the possibilities for
intentional and unintentional misuse of such a hypothetical system.
  However I do feel some of the more fantastic possibilities are unlikely to
materialise. (Of course other risks, maybe with even worse consequences than
already imagined might, so don't stop discussing this!)

European Single Market

  From 1992, all goods sold in the Single Market must conform to common
specifications. As a result, National Type Approval for cars will be replaced
by a type approval for the whole of the EEC. (This, in fact will apply to all
goods & services, but we are discussing cars here)
  For example, the U.K. would like to introduce a requirement for U.S. style
third brake lights. However before it can do this, it needs all the other
member countries to agree.
  So to REQUIRE the fitting of an IFF-style device, it must be agreed by all
the EEC countries (and it must then conform to a common standard).

  The British consumer may in its lethargy accept Big Brother, but here in W.
Germany there would be a revolution if such an intrusion into privacy was even
so much as suggested. (There was enough outcry when machine-readable
passports/national ID cards were introduced; this was somewhat pacified by
removing the requirement to carry I.D. at all times)

Foreign Vehicles

  The number of foreign registered (usually European) vehicles on British roads
is increasing all the time, with the increase in contacts, trade, etc, with the
mainland which has occurred since the U.K. joined the EEC in 1973.

When the Chunnel opens there will be even more.

  The U.K like most countries. is bound by the terms of the Treaties on
International Road Traffic to let visitors to the U.K. drive on their roads. If
the Essex Police got a MAIL message every time a car without a U.K. IFF plate
drove along the A12 (a major 'E' route) then their computer systems would soon
be overloaded.

Simple ways are best

  As a final postscript on the theme of "Big Brother is watching you"; let me
ask the rhetorical question:

    "Why use complicated methods of control when simple ones are best?".

  An example: all vehicles loading on to one particular ferryboat are monitored
by video as they pass Passport Control.
  Presumably, during the crossing, a list of all license plates can be made,
and telexed across to the destination port.
  What could be simpler than that? Why use complicated electronics when old-
fashioned surveillance works just as well, if not better.
                                                                 Nigel Roberts

Re: "Electronic number plates"

Allan Pratt <imagen!atari!apratt@ucbvax.Berkeley.EDU>
Fri, 18 Nov 88 14:40:59 pst
I saw a segment on "Electronic number plates" on "Beyond 2000" (or "Towards
2000"), a series from Australia which actually goes into more detail than most
shows...  They start with the Big Picture, but they don't stop with "but now it
gets so complex you couldn't possibly understand it" — they go on to explain
in some technical detail.

So here's what they said: The "black box" is welded to the frame of your
car, and is virtually indestructable.  It has no external features.  It
has no power source (!).  If the handshake fails, a camera snaps a
picture of car, driver(?), and traditional number plate. 

The system they showed had 10 (?) nodes in central Hong Kong (or some
other high-density Asian city).  There are still a few bugs to work out
of the system, which RISKS readers have been quick to point out. 

No power source? I guess part of the inquiry from the roadbed is energy
enough for it to transmit back.

Towards 2000 and Beyond 2000 are on The Discovery Channel, which cable
services sometimes have as part of the basic service. 

Opinions expressed above do not necessarily — Allan Pratt, Atari Corp.
reflect those of Atari Corp. or anyone else.      ...ames!atari!apratt

Re: UK vehicle-identification systems

Mon, 21 Nov 88 08:03:05 PST
denbeste@OAKLAND.BBN.COM writes:
>I find Chaz's description of the new system in Britain for toll-roads very
>interesting, to say the least. I have some interesting questions:

>1. As I understood it, what we have is a radio handshake between each car and
>fixed transceivers at the entrance and exit from the toll-road, presumably
>connected to a computer billing system which mails you a bill each month. What
>if you move and don't tell the computer your new address?

The Illinois Toll Authority has already installed this automated toll
collecting equipment on one exit as a trial.  They are retaining the coin
collection equipment, but are also supplying several large users, such as
limousine services and trucking companies, who use this exit with equipment
that will allow the users to be billed directly.  The device can read the
identification of vehicles traveling at up to 35 MPH [56 km/hr].  Since the
coin collection boxes are located on a curve here, the speed limit should pose
no problems.  In case you are from the Chicago area, this equipment is located
at the Farnsworth exit off of the East-West Tollway, I-88, formerly IL-5.
Unfortunately, there was no information readily available to describe the

The Illinois Toll System does not use entry/exit tolls, but rather periodic
toll barriers.  This causes large backups during rush hour, as everyone has to
put in their $0.40.  The hope is that this system will reduce congestion, and
that the expense of adding more toll booths can be avoided.

John Haller

Please report problems with the web pages to the maintainer