The RISKS Digest
Volume 9 Issue 9

Monday, 14th August 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


California to escrow electronic vote counting software
Rodney Hoffman
Voters Left off Electoral Roll
Rohan Allan Baxter
Beeperless remote answering machine risks
Peter Scott
Computerized Houses
Jake Livni
Automated Driving
Ian Gent
Marijuana Virus wreaks havoc in Australian Defence Department
J. Holley
Universal Trapdoors
Vin McLellan
Computer Problems at Saratoga Racetrack
Rodney Hoffman
Dave Fiske
RISKS summer reruns?
Daniel F. Fisher
Jim Horning
Info on RISKS (comp.risks)

California to escrow electronic vote counting software

Rodney Hoffman <>
14 Aug 89 08:02:12 PDT (Monday)
Edited excerpts from an article by William Trombley in the 'Los Angeles
Times' 14-Aug-89:

A new law which takes effect Jan. 1, 1990, requires California counties to
place the source code of their vote-counting computer programs in escrow so
they can be checked by independent experts in case of disputed results.
The law is a partial response to increasing criticism that electronic vote
tabulation sometimes is inaccurate and is vulnerable to tampering because
of lax security.

The California secretary of state will approve escrow facilities and will
determine what material should be placed in escrow and under what
circumstances the source codes should be made accessible to investigators.
The escrow plan also allows election officials access to the codes should
the companies that produce the software go out of business or stop selling
that particular product, as has happened in several states.

California's new law coincides with efforts by the National Clearinghouse
for Election Administration, an arm of the Federal Election Commission, to
produce voluntary state standards for computerized elections.  The federal
standards, published in the Federal Register last week, also call for
putting source codes in escrow.  So far, Texas, New York and a few other
states have laws similar to California's.

Reactions to the new law vary:

Tom Diebold, president of DFM Associates, one election system vendor: "The
problem with escrow is that it makes it easier for someone who wants to
manipulate an election to get their hands on the source code."

Lester Jaspovice, V.P. and corporate counsel for Sequoia Pacific Systems,
another vendor:  "My company doesn't like it, but, as an attorney, I think
it's a good idea.  It provides a virgin copy of the code that the court can
call on in case of a dispute."

Howard Strauss, Princeton University computer scientist and member of
Election Watch:  If the source code in escrow differs from the one used to
count votes, "then you know something's wrong.  But if they're the same, it
doesn't tell you anything because they could both contain the same
mistakes."  Strauss also doubted that the law would protect against a
company going out of business or losing its top scientific talent.  "The
idea is that these escrow facilities will have technical people who can
read this stuff, but some of it is so badly written that, even after months
of work, you wouldn't know what it was all about."

Crew Deer, V.P. of Data Securities International, a computer software
escrow company:  "If the code has a bug in it, it will show up on both the
original and the copy, but that's good because you at least know it's a
technical problem and nobody has been tampering."  According to Deer, the
escrow fees for vote-counting source code might be about $1500 plus
$1000/year after that.  If a result is challenged and a detailed
verification process is carried out, the cost could be as much as $30,000.

Several critics said the new law does nothing to correct what they consider
to be the major flaw in computerized elections — the presence of poorly
trained, underpaid election workers who do not understand the computerized
equipment they are using to count votes.

  [For the record, on July 2, 3, and 4, the 'Los Angeles Times' ran a very
  lengthy series by William Trombley on computers and vote counting.  Nothing
  new, but a fair summary of past troubles, present systems, and suggested

  It includes quotes from many election officials, computer scientists, and
  statisticians.  Among those cited are RISKS contributors Gary Chapman and
  Marc Rotenberg of Computer Professionals for Social Responsibility, Lance
  Hoffman of George Washington University, Willis Ware of RAND, and RISKS
  moderator Peter Neumann.  (See RISKS 7.52 and 7.70 for references to past
  reports on the subject.)]

Voters Left off Electoral Roll

Rohan Allan Baxter <>
Thu, 10 Aug 89 08:21:34 EST
More than 6000 voters were unable to vote in local government
elections in Victoria on Saturday, August 5th, because of a
computer error made by the Australian Electoral Commission.
Newly enrolled voters and those who had changed municipalities had
their names left of the updated electoral rolls.

The error was made five months ago, but was detected less than
24 hours before the opening of the polling booths. A full internal
inquiry has been ordered into why the error was detected so late, as
well as its original cause.

Legal opinion indicate the elections are not invalidated by the error,
although legal challenges are expected from narrowly losing candidates.
One bitter voter affected by the error noted that voting in the
elections was compulsory - a bitter irony for those left of the rolls.

Beeperless remote answering machine risks

Peter Scott <PJS@grouch.JPL.NASA.GOV>
Sat, 5 Aug 89 14:28:03 PST
My answering machine is one that allows me to call in from a push-button
phone and signal it to play back my messages with a 2-digit code.  In
addition, there are single-digit codes that reset the machine, go forwards,
backwards, change the outgoing message, etc.

I just called in to get my messages; there was one.  Just before the caller
hung up they accidentally bumped some keys on their phone, resulting in
some digit tones being recorded on their message.  I heard this and
waited for the machine to beep to tell me it had finished playback.  Instead,
it played the message again... and again...  Apparently it was taking
input from the message tape as valid, and one of the buttons the caller
pressed was the "backwards" command.

I suppose if I were getting the message off the machine at home this
wouldn't happen, because it would not be in remote mode.  This has some
interesting consequences for the unscrupulous callers and unwary callees.

Peter Scott (

Computerized Houses

Jake Livni <JAKE%Irving@VX1.GBA.NYU.EDU>
Mon 14 Aug 89 18:57:48-EDT
              "The New Homes Are Getting Smarter"
            "Cued by computers, they run themselves"
                        by Mark McCain
(Excerpted from the Real Estate Section of the New York Times, August 13, 1989)

    Although electronic brains these days control televisions and telephones,
offices and automobiles, the average house is still a mindless creature,
bumbling along without any effort to make itself more safe [!!!], or
economical, comfortable or convenient.

    For many houseowners, that's fine.  The thought of a house smart enough
to take matters into its own hands is absurd - even threatening.  Who's
to say it wouldn't fire up the oven after midnight just on a lark?

    But new houses are improving their IQs.  After many years of futuristic
talk without much follow-through, builders are beginning to install automated
systems that act like all-knowing butlers.  Not surprisingly, the systems
are most popular in expensive houses, where budgets are big and rooms so
numerous that even turning off lights at bedtime can be burdensome. [...]

    "When my 3-year-old boy comes out of his room at night, a motion detector
turns on the hallway light for him," says Robert Pomeranz, a banking executive
who lives in a new 7,500-square-foot house outside Washington.  "Obviously,
it's not worth buying an integrated control system for small things like
that, but it's amazing how useful the system can be as you become comfortable
with it."

    Like humans, the systems aren't perfect.  A light may turn on for no
apparent reason or a front door may refuse to open for it's master.

    [That sounds nice in an emergency...]

    "The houses we're building today have interiors right out of the space
age, even though their exterior appearances are traditional," said Kenneth
Nadler, an architect in Mount Kisco, NY, who designs expensive houses.
"It's Jetson on the inside and Gatsby on the outside."

    For a homeowner eager to outdo even George Jetson, the futuristic TV cartoon
character, there's a $26,000 whirlpool that accepts calls - say, from a
car phone - to start water running at bath-perfect temperature.  Too expensive?
For less than $1,500, there's a fireplace with a gas flame adjustable from
glowing to roaring by infrared remote control.

    [Could Audi 5000's order up a bath by themselves? :-) ]

    But even aficionados have their limits.

    "I'm afraid of those things," said Joel Sommer, a Maryland builder who
infuses his multi-million-dollar houses with high technology.  "What whould
happen if the whirlpool didn't shut off automatically or gas started flowing
in the fireplace without an ignition spark?  I just don't see the benefit
of some products."

    Certainly, automated devices built into houses today do not always make
practical sense.  It is a situation reminiscent of the home-computer craze
in the early 1980's, when companies promoted computers for such uses as
storing recipes, even though ingredients that only soil a cookbook page
might easily destroy a kitchen keyboard.  Today home computers are common,
but not for recipes or checkbook balancing or other uses suggested by early

    "In similar fashion, I'm sure we'll find a great many applications for
home automation that people haven't thought of yet or haven't predicted
to be big winners," said Roger Dooley, editor of Electronic Home, a trade
magazine published in Mishawka, Ind.  "And what's being touted today as
big benefits may end up being used by only a few homeowners." [...]

    "I live alone in a 10,000-square-foot house with only my housekeeper,
so I need to feel really secure, and what I've installed is state-of-the-art,"
said [... someone who has such a system.  She also ...] has a sensor in each
room to control the temperature, and only once have things gone awry.  "During
a storm with heavy lightning the sensor in the living room got stuck at 95
degrees," she said.  "So the air-conditioning system kept trying to cool the
room. It felt like a meat locker." [...]

    Beyond that, there's the gee-whiz appeal, like a synthesized voice in the
kitchen that anounces when a letter carrier has delivered the mail. [...]  "You
don't have to install an integrated control system," said Mr. Sommer, the
developer, who is completing an 11,000-square-foot house with such a system. "I
happen to enjoy them because my background is in computer science.  But really,
they're toys."

    [discussion of business aspects of marketing these systems...]

    One futuristic idea now becoming more practical is voice control.  Already,
voice-recognition devices that allow a computer to understand a vocabulary of
about 75 words are available for less than $500.  As those devices become more
powerful and less expensive, they will be an option for controlling home

    "You'll be able to just walk up and talk to it," explained David MacFadyen,
an industry expert.  "When you say, 'Good night, house,' the temperature
controls will be set back in unoccupied areas, the hot-water heater will be set
back, the phone will go on voice-mail.  Just a couple of words will trigger an
evening shutdown sequence that is far more elaborate than anything we can think
of now.

    ["Good night, RISKS" ...

Jake Livni

Automated Driving

Ian Gent <>
Mon, 14 Aug 89 14:48:31 +0100
A documentary on UK's Channel 4, 13 Aug 1989, was about traffic
problems, especially congestion in cities.

After concluding that there was no obvious and fair solution, the
programme suggested that the best hope lay in more automation in
cars.  What's more, the programme implied that machines driving cars
would be feasible in the medium term (next decade or two).

For instance, shots were shown of a human driven automobile in
which experimenters were recording data about close vehicles, etc.
Apparently, and I paraphrase the commentator, although the
researchers were only recording data, there's no reason in principle
why the information should not be fed into control computers.
The clear implication was that this would be much safer than letting
humans drive.

Also, with automatically or semi-automatically driven, it would be
possible for my vehicle to refuse to let me drive into a city centre
if the centre was too busy.

The risks are obvious and horrific, but what is even more depressing
is that experts in other fields just do not see the risks, and that
TV researchers do not even think to ask anybody who might know about
these risks.

Ian Gent, University of Warwick, Coventry, UK

Marijuana Virus wreaks havoc in Australian Defence Department

Mon, 14 Aug 89 10:18:16 NZS
Quoted from The Dominion, Monday August 14 :

A computer virus call marijuana has wreaked havoc in the Australian
Defence Department and New Zealand is getting the blame.

Data in a sensitive security area in Canberra was destroyed and when
officers tried to use their terminals a message appeared : "Your PC is
stoned - Legalise marijuana".

Viruses are [guff on viruses] The New Zealand spawned marijunana has
managed to spread itself widely throughout the region.

Its presence in Australia has been known for the past two months. The
problem was highlighted two weeks ago when a Mellbourne man was
charged with computer trespass and attempted criminal damage for
allegedly loading it into a computer at the Swinbourne Institute of

The virus invaded the Defence Department earlier this month - hitting
a security division repsonsible for the prevention of computer viruses.

A director in the information systems division, Geoff Walker said an
investigation was under way and the infection was possibly an
embarrassing accident arising from virus prevention activities.

New personal computers installed in the section gobbled data from
their hard disk, then disabled them.

Initially it was believed the virus was intoduced by a subcontractor
installing the new computer system but that possibility has been ruled out.

One more outlandish theory suggested New Zealnd, piqued at its
exclusion from Kangaroo 89 military exercises under way in northern
Australia, was showing its ability to infiltrate the Canberra citadel.

New Zealand was not invited to take part in Kangaroo because of United
States' policy of not taking part in exercises with New Zealand forces
since Labour's antinuclear legislation. However, New Zealand observers
were invited.

New Zealand Defence Department spokesmand Lieutenant Colonel Peter Fry
categorically denied the claim. "It would be totally irresponsible to
do this kind of thing."

In fact, New Zealand's Defence Department already had problems with
the virus, he said.

Universal Trapdoors

Sat, 5 Aug 89 22:06 EDT
  If most large-system sites have user-installed trapdoors...

  If techies and technical management install these trapdoors to evade
the access control tables because they are convinced these subsystems
are 1) too often mismanaged, 2) too easily corrupted, 3) too cumbersome
in an emergency, or 4) too prone to technical failure...

  Then — so long as this huge community of unbelievers remains
unwilling to submit to the control of the access control system — we
_will_ have users installing trapdoors for an alternative path to
high-priviledged status, despite the obvious risks.

  If 15 years of unrelenting propaganda by the vendors and gurus have
left the users so unwilling to follow the prescribed path of
righteousness, maybe someone other than the users should reconsider.  As
it is, user-installed trapdoors are almost universal on big systems, but
because they are illicit, "secret," they are seldom protected by
anything more than their obscurity.

  What is so wrong about giving the users a safe model for what they
demand — a route around the access control system — when just they
take it anyway, security be damned?

  Who is being more unrealistic:  the system programmers who code these
traps, or the security specialists who ignore the fact that virtually
all systems have trapdoors?  Aren't we talking about trusting people who
are already virtually all-powerful in their environment?

  Why can't we use an alternative security device to secure this
alternative access path?  Encryption seems a likely padlock.  With a mix
of synch and asynch crypto, it seems possible to set up a "one-time key"
access, supported by user authentication, separation of function, audit
trails.  Heck, add an audible alarm.  Even without the PKE frills,
simple encryption can put a lock on what is otherwise an open gate
hidden in the thickets.  Continuing the masquerade, ignoring the
existence of the problem, gets us Nowhere.

  For twenty years people have been showing me trapdoors into systems.
Now, I'm shown or told of trapdoors that open whole networks (recently,
one which popped a net of control systems for a major phone company,
installed by management.)  Now, I chat with hackers who give tutorials
on how to locate user-installed trapdoors.  One "specialist" recently
told me that it seldom takes him more than 20 minutes to identify such a
trapdoor in a typical corporate MVS system.

  The auditors are not the only ones, nor likely the most challenging
foe, these users have to outsmart.

Vin McLellan The Privacy Guild (voice/fax:  617-426-2487) Boston, Ma. 02111

Computer Problems at Saratoga Racetrack

Rodney Hoffman <>
4 Aug 89 07:23:56 PDT (Friday)
From wire service stories in the 'Los Angeles Times' August 3 and 4, 1989:

Computer problems frustrated a record opening-day crowd at New York's Saratoga
Race Track on Wednesday, and track officials said Thursday's card might be
canceled if the problem was not fixed by Thursday morning.  Bettors were kept
in the dark about the odds, payoffs, and even the time of day.

"There's some sort of gremlin running around that software, and we can't find
it," said Gerard McKeon, president of the New York Racing Assn on Wednesday.
... The computer problem extended Wendesday's nine-race card by an hour and
cost NYRA about $1.5 million in handle, McKeon said.  Pari-mutuel machines and
the track's tote boards were also affected by the problem.

Technicians worked through the night to replace the software, and things
were apparently back to normal on Thursday.

Computer Breakdown Thwarts Saratoga Bettors

Dave Fiske <>
3 Aug 89 21:35:32 GMT
Here's a first-hand account of an item for RISKS, since I was there on

August 3, 1989,  Latham, NY

Yesterday was opening day for thoroughbred racing at the Saratoga Race
Course in Saratoga Springs, New York.

It was a computer disaster.

The beginning of the 122nd season was ruined by computer problems which
forestalled the placement of wagers for Races 5 through 9 of the 9-race
program.  The New York Racing Association, which operates Saratoga and
the other racing facilities in New York, is estimating a loss of $1.5
million in on-track, and $2 million in off-track handle.  The loss in
good will is not measurable--parimutuel systems are dependent on their
accuracy and reliability for continued patronage--chances are most fans
will be forgiving and come back.  Provided, that is, that the system
gets straightened out.

This is by no means certain.  Racing officials announced yesterday that
they had no idea what had caused the computer system to crash, and for
fans to listen for a 9 AM announcement this morning before heading for
the track.  This morning, NYRA announced that they intend to offer
wagering today, that they believe they have found the software problem
and corrected it, and that they are "80%" sure the system will work
correctly once betting begins today.

Like most tracks, betting information is displayed both on Tote Boards
(light-bulb displays) and on computer-generated video screens.  Both
types of displays were affected by the problem(s)--at one point, I
observed that odds displayed on the two types differed.  (Presumably
one was being updated from the computer, and the other not. However,
regardless of which was correct, some fans were being provided with
inaccurate information.)

Though the displays worked on and off from the 5th race on, the betting
machines did not function at all.  The machines are of two
types--terminals which are located at the regular betting windows, and
which are operated by track employees; and so-called "SAMs", which
employ touchie-feelie screens so that bettors can place their own
wagers.  The self-service machines allow a bettor to insert a
winning ticket or a cash voucher.  Under ordinary circumstances, the
value of the ticket or voucher is read and then displayed on the
screen.  At the beginning of the computer outage, machines were
displaying incorrect values for tickets, or simply eating tickets or
vouchers.  Bettors who had encountered problems at the betting windows
at least had a human clerk to complain to--those using the SAMs had to
stand around wondering what to do.

Post times for races were delayed in hopes that the computers could be
made to operate, but to no avail.  The final race took place nearly an
hour later than usual--and only those few who had made advance wagers
early in the day had any money riding.

Because the system handles both bets and payoffs, automated calculation of
prices for winning horses was also pretty much incapacitated.  People holding
winning tickets (even from previous races) were not able to cash them.

Technicians worked overnight, having flown up from Autotote in
Delaware, and apparently fixed some software problems, but officials
still are not certain of what happened exactly.

Today, Thursday, the system seemed to operate properly.  The normal $2
admission fee was waived, as a gesture to yesterday's disappointed
fans.  However, given that officials were uncertain this morning that
it would hold up, the system's performance may have been more luck than
anything else.

Other than having diagnosed the problem as a software, rather than a hardware,
one, officials are offering no explanation as to what the problem was.
However, as an outsider, one could focus on the following factors:

     When the season at Saratoga starts each year, most of the equipment
     used  is moved up from Belmont Park, near New York City.  The move,
     which includes starting gates, etc.,  as  well  as  the  computers,
     betting machines, and TV monitors, takes place in the timespan from
     the last race at Belmont on Monday to the first race at Saratoga on
     Wednesday.   Assuming  that no hardware damage occurred in transit,
     this allows very little time for testing, since some of those 30-40
     hours are taken up by travel time and installation.

     Though  officials  say  that software changes are made nearly every
     week, a number of changes--some in effect  only  for  the  Saratoga
     meet--were  made in the betting rules.  For example, Triple betting
     is now offered in the 8th as well as the 9th race;  the  number  of
     horses  required  to  be  entered  in races offering certain exotic
     wagers was lowered; and for two racing days  only,  when  important
     stakes  races  are  run,  exacta  wagering  will be allowed for all
     races, regardless of the number of horses entered.

My guess is that more--and more sophisticated--software changes were made than
normally, and that, with limited time to test a system which was asked to
handle wagers from 30,000 people yesterday, some bug went undetected until
triggered yesterday.

It will be interesting to find out what backup setup NYRA utilizes.
Officials mentioned today that, if the system broke down today, that
hopefully their backup systems would not fail, so that they could
determine what went wrong.  This leads me to believe that there was a
secondary failure of some type yesterday, such that the planned backup
process did not work.

RISKS summer reruns?

Daniel F. Fisher <dff@Morgan.COM>
Fri, 4 Aug 89 22:32:43 EDT
During the present slow-down in RISKS, I was particularly happy when, this
evening, my netnews reader presented me with an `unread' RISKS digest.  It
was not until I was half way through it that I realized it was one I had
already seen.  In fact it was RISKS 8.81 from 17 June 1989.  Was this a
local phenomenon, or has the Network, not wishing to RISK lower ratings,
started airing Summer Reruns?

Just curious,

Daniel F. Fisher, Morgan Stanley & Co. Inc.

For your amusement [ RISKS summer reruns? ]

Jim Horning <>
2 Aug 1989 1828-PDT (Wednesday)
Here's the Path: on the copy of RISKS 8.81 that just arrived!

Path: jumbo!decwrl!purdue!mailrus!!leah!rpi!batcomputer

Please report problems with the web pages to the maintainer