RISKS-LIST: Risks-Forum Digest Friday 7 November 2003 Volume 23 : Issue 01 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/23.01.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Credit agencies sending our files abroad (David Lazarus via Paul Saffo) Crypto screwup: Sensitive Israeli missile test inadvertently broadcast (Craig S. Bell) A new risk for electronic voting (Jeremy Epstein) California Halts E-Vote Certification (Kim Zetter via Monty Solomon) Touch screen voting -- like Web site maintenance? (William Nico) Irish Labour Party urges suspension of e-voting until flaws addressed (Patrick O'Beirne) E-ZPass, UPS, and Newark Airport (Susan Landau) Microsoft puts a price on the heads of virus writers (NewsScan) Microsoft patches their patched patches (Robert Bruce Thompson via Dave Farber) Remember those jokes about "if AT&T built cars?" (Daniel P.B. Smith) Duh! an electronic signature! (Geoff Kuenning) Paying employees is not rocket science (Paul Robinson) Another victim of the d__n bad-word filter! (Adam Abrams) REVIEW: "High Integrity Software", John Barnes (Rob Slade) Abridged info on RISKS (comp.risks) --------------------------------------------------------------------------- Date: Fri, 07 Nov 2003 08:47:57 -0800 From: Paul Saffo <psaffo@private> Subject: Credit agencies sending our files abroad (via Dave Farber's IP) David Lazarus <dlazarus@private>, *San Francisco Chronicle*, 7 Nov 2003 [PGN-ed] sfgate.com/article.cgi?file=/c/a/2003/11/07/MNG4Q2SEAM1.DTL IP Archives at: http://www.interesting-people.org/archives/interesting-people/ Two of the three major credit-reporting agencies (Equifax, Experian and TransUnion, each holding detailed files on about 220 million U.S. consumers) are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly. Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas. For their part, the credit agencies say the trend is a necessary cost-cutting move in light of new legislation that would allow all consumers to obtain free copies of their credit reports. (TransUnion states that would cost them as much as $350 million a year.) "The application of American law in a foreign country is difficult, if not impossible," said Sen. Dianne Feinstein. "Therefore, the more companies move overseas, the less American law can control the uses for which personal data is put. And this can only represent an increasing threat to the privacy of our citizens." Sen. Barbara Boxer said she would ensure that the matter was raised as senators and House members completed changes to the Fair Credit Reporting Act. "This information is very significant, and I intend to make sure that the conferees who are finalizing the bill are aware of the *Chronicle*'s investigation in hopes that they will protect Americans from such outrageous invasions of privacy," Boxer said. ------------------------------ Date: Thu, 06 Nov 2003 22:38:47 GMT From: "Craig S. Bell" <craig@private> Subject: Crypto screwup: Sensitive Israeli missile test inadvertently broadcast A security lapse by Israel Aircraft Industries apparently permitted an internal screening of a missile test to be accessible by satellite dish, unencrypted. http://www.haaretz.com/hasen/spages/357662.html [PGN-ed; also http://www.newsday.com/news/nationworld/wire/ sns-ap-israel-missile-test,0,409849.story?coll=sns-ap-nationworld-headlines ] ------------------------------ Date: Thu, 6 Nov 2003 15:56:08 -0500 From: Jeremy Epstein <jeremy.epstein@private> Subject: A new risk for electronic voting The RISKS of electronic voting have been discussed often enough in this forum that I won't repeat them further (cf. Rebecca Mercuri's piece in RISKS-22.96). Last week's election in Fairfax County (Virginia) had a new risk I haven't seen covered before. They use WinVote machines, made by Advanced Voting Solutions of Frisco, Tex. These are essentially Windows laptops with a touchscreen and an 802.11 wireless net. (More about that in another RISKS article one of these days.) Seems that during the election, at least eight of the machines failed (out of almost 1000 in use county-wide), and were taken out of the polling places to a central repair facility, and then brought back after some form of "repair" was made (a reboot at the polling place did not solve the problem). The seals were broken, but the voting officials in the precincts were told to resume using them. The result was a lawsuit by the Republican party seeking to invalidate the votes from those machines. There aren't enough votes at stake that it would change any of the election results. Of course, the real problem is that without any sort of physical (paper) record, it's impossible to prove what really happened when the machines were being "repaired". In addition, the "hi tech" vote counting (which was supposed to occur by uploading the results from every precinct to a central computer over a dial-up line) overloaded the servers, and "More than half of precinct officials resorted to the old-fashioned telephone to call in their numbers or even drove the results to headquarters, elections officials said. A handful of precincts went back to paper ballots." The only thing that's surprising here is that the election officials were surprised. See http://www.washingtonpost.com/wp-dyn/articles/A1397-2003Nov5.html ------------------------------ Date: Tue, 4 Nov 2003 19:16:59 -0500 From: Monty Solomon <monty@private> Subject: California Halts E-Vote Certification (Kim Zetter) Kim Zetter, Wired.Com, 3 Nov 2003 SACRAMENTO, California -- Uncertified software may have been installed on electronic voting machines used in one California county, according to the secretary of state's office. Marc Carrel, assistant secretary of state for policy and planning, told attendees Thursday at a panel on voting systems that California was halting the certification process for new voting machines manufactured by Diebold Election Systems. The reason, Carrel said, was that his office had recently received "disconcerting information" that Diebold may have installed uncertified software on its touch-screen machines used in one county. He did not say which county was involved. However, Secretary of State spokesman Douglas Stone later told Wired News that the county in question is Alameda. ... http://www.wired.com/news/politics/0,1283,61068,00.html ------------------------------ Date: Wed, 5 Nov 2003 09:02:54 -0800 (PST) From: William Nico <nico@private> Subject: Touch screen voting -- like Web site maintenance? The 4 Nov 2003 election in Pleasanton, CA had only a School Board choice on the ballot. However, the "Instructions", which comprised the opening page on the touch screen voting machine, were wholly focused in detail on the gubernatorial recall election of 7 Oct 2003! ------------------------------ Date: Mon, 03 Nov 2003 19:39:55 +0000 From: "Patrick O'Beirne" <pob2002@private> Subject: Irish Labour Party urges suspension of e-voting until flaws addressed http://www.labour.ie/press/detail.tmpl?SKU=20031103143251 Press Release Gilmore urges suspension of e-voting until flaws addressed Eamon Gilmore TD, Labour Spokesperson on Environment and Local Government Issued on Monday 03 November, 2003 The Labour Party has called for the suspension of plans to extend electronic voting until the e-voting system has been changed. The call was made today (Monday) by the Labour Party Spokesperson on Local Government and the Environment, Eamon Gilmore TD, at a Press Conference to launch a study of electronic voting system which was commissioned by the Labour Party. The report was prepared by two Labour Party members, Shane Hogan and Robert Cochran who are both experienced IT specialists. Deputy Gilmore said: "The report identifies a number of major flaws and deficiencies in the electronic voting system which the Government plans to extend to all areas of the country for the Local and European Elections next year. The major defects are:- * No integrated end-to-end test of the entire system has been conducted to date. The testing of the Integrated Election Software (IES) software was carried out by the UK based Electoral Reform Society in 2002. However for this test the random mix feature of the IES was disabled. An integrated end-to-end test would generally be considered a key part of the implementation of any new technology. * Formal Methods were not used to prove the accuracy of the software. Formal Methods refer to a set of mathematically based techniques that are used in the development of safety-critical software such as airplane navigation or life support machines. The Department of the Environment has not made the actual source code publicly available but it is clear from the technology used and source code review that formal methods were not used and that therefore there are bugs in the software. * It is possible that the data-base on the Count Centre PC which is Microsoft access, could be overridden by a replacement pre-prepared data base, which could be designed to give a specific result by a single "copy" command. In addition vote information is transferred between PCs at the Count Centre on floppy discs. It would not be difficult to exchange discs. * Unauthorised persons could produce a version of the NEDAP voting machine software and/or the IES which could be designed to give an election result biased in favour of a particular Party or Candidate. "These threats are possible because the proposed electronic voting system lacks the transparency of the current paper ballot system. The voter has no way of being certain that the vote which he/she casts is accurately recorded by the voting machine and software and is thereafter not overridden by a corruption of the Count Centre software. The voter is expected to have blind trust in the technology. "The Labour Party is proposing a number of reforms which will be necessary if the proposed electronic voting system is to be reliable, free from interference and if it is to enjoy the confidence of the public. "The reforms proposed by the Labour Party are as follows:- 1. The introduction of a Voter Verifiable Audit Trail (VVAT) which would create a parallel paper record of votes cast which could be stored and checked in the event of a dispute over an election outcome. 2. The use of Formal Methods to ensure that the software used in both the election machines and in the vote counting is totally reliable. 3. The adoption of formal procedures to prevent interference either with the machines software or counting process. 4. The carrying out of an integrated end-to-end test of the entire system. 5. The establishment of an independent audit and supervisory role over electronic voting for the Standards In Public Office Commission. "The complete changeover to electronic voting next June will be the biggest single change in the country's electoral practice since Independence. "It is essential that electronic voting has the confidence of the public and of the participants in elections. The system which the Government intends to use next June is seriously flawed. No democracy should proceed with a new electoral system which opposition Parties fear may lead to election rigging. "It is essential for continuing confidence in the electoral system that the proposed electronic voting be changed. The Government should suspend plans for the extension of electronic voting until the reforms proposed by the Labour Party have been implemented." ------------------------------ Date: Mon, 3 Nov 2003 10:16:03 -0400 From: Susan Landau <susan.landau@private> Subject: E-ZPass, UPS, and Newark Airport [This appeared in the Metropolitan Diary section of *The New York Times*, 3 Nov 2003. It is yet another example of what can happen when perfectly plausible actions are combined in unexpected ways. Fortunately this one is humurous. Susan Landau] Dear Diary: After moving to Nashville from New York recently, it occurred to me that I no longer had a pressing use for my E-ZPass. Following the E-ZPass instructions, I filled out a few forms and dropped my pass off at United Parcel Service, destination Staten Island service center. Two weeks passed, and I received my normal E-ZPass e-mail statement. I entered my account and, lo and behold, my recently surrendered pass had been used by someone to go from Newark Airport to Exit 18 on the New Jersey Turnpike. I was incensed. I immediately called E-ZPass and informed them that someone had stolen my pass. I explained that I had mailed the pass and that now someone was running up and down the turnpike using it. Very calmly, the E-ZPass representative said, "Sir, your E-ZPass was not stolen, it is in the UPS truck, and every time that truck goes through an E-Z Pass toll booth, it is going to register another toll." ------------------------------ Date: Thu, 06 Nov 2003 08:58:12 -0700 From: "NewsScan" <newsscan@private> Subject: Microsoft puts a price on the heads of virus writers Microsoft is using an old-fashioned tactic to fight new-fangled viruses -- it's created a $5-million Anti-Virus Reward Program and is offering $250,000 bounties for information leading to the arrest and conviction of the people behind last summer's Blaster worm and Sobig virus. Together, those attacks are blamed for $2 billion in losses by businesses and consumers, according to consulting firm Computer Economics Inc. Security experts are split on whether the new initiative will prove successful, but Microsoft senior security strategist Philip Reitinger says, "What we hope to accomplish is to give people an incentive to do the right thing." [*Los Angeles Times*, 6 Nov 2003; NewsScan Daily, 6 Nov 2003] http://www.latimes.com/technology/la-fi-bounty6nov06,1,4082881.story ?coll=la-headlines-technology [The sad part is that for $5M, MS cannot fix its deeper computer security problems, so that expenditure will not solve their problems. On the other hand, if MS spent $2B rearchitecting and reimplementing their software, think what might be done! (On the other hand, I recall the period in the 1970s when IBM reportedly spent $40M on improving its mainframe computer security. The old joke at the time was that they spent $39M on public relations and $1M on travel.) PGN] ------------------------------ Date: Mon, 03 Nov 2003 11:34:47 -0500 From: Robert Bruce Thompson Subject: Microsoft patches their patched patches (IP) (via Dave Farber's IP, with an addition forward from Mark Luntzel) For years, the conventional wisdom has been that one can't trust Microsoft software until version 3.0, and that apparently is true for their security patches as well. The middle of last month, with much fanfare, Microsoft went to their new scheme of releasing patches in batches once a month. A week or so later, they released batches of patches to those batches of patches. Now, they're releasing batches of patches to the batches of patches to the batches of patches. For details, see: <http://www.esecurityplanet.com/prodser/article.php/3101901> These batches and batches of patched patched patches are critical, so don't ignore them. And, the way things are going, look for batches and batches of patched patched patched patches sometime next week. Robert Bruce Thompson <thompson@private> http://www.ttgnet.com/thisweek.html http://forums.ttgnet.com/ikonboard.cgi ------------------------------ Date: Sat, 01 Nov 2003 14:38:40 -0500 From: "Daniel P.B. Smith" <dpbsmith@private> Subject: Remember those jokes about "if AT&T built cars?" ... those humorous pieces that point out the ludicrous unusability of computer user interfaces by speculating on what a car with a similar user interface might be like? Well, don't laugh too hard... *The Boston Globe* auto writer Royal Ford just published an article headed: "For drivers, electronic overload." *The Boston Globe*, 1 Nov 2003 "To start the heater or air conditioning in the [a 2-year old Acura] MDX, you start with the dashboard navigation screen, then make your way through a series of baffling electronic menus, through climate control and beyond.... 'It's a distraction while you're driving,' [owner Stuart Schneiderman] said.... The system in the [BMW] 7 Series... remains a landmark in complexity, using a dial between the front seats to reach eight "points" of control. Each point then controls a multilayered system of options that many drivers have found to be like peeling an electronic onion.... the system proved so complicated that Web sites have offered "cheats," hidden shortcuts like those used by video gamers.... the Lexus LS430 [has] one of the most manageable electronic... but the manual for the system runs to 178 pages." To anyone who's ever had the window of a rental car frost up in traffic, while leaving an airport, with no place to pull over and no companion handy to dig out the owner's manual and locate the right button... the RISKS should be obvious. Daniel P. B. Smith, dpbsmith@private alternate: dpbsmith@private ------------------------------ Date: Mon, 3 Nov 2003 23:39:07 -0800 (PST) From: Geoff Kuenning <geoff@private> Subject: Duh! an electronic signature! I just finished submitting a reference letter to the Hertz Foundation for a student. This process is done through a Web form. The foundation requires an electronic signature on the recommendation. The signature is collected by presenting the recommender with a Web page reading something like this: I certify that I am the person named below: (type name in box) Even my wife, who is a musician by profession, reacted with "Oh, yeah, *that's* real secure!" I suggest that instead, the foundation should simplify my life by simply providing a check box labeled "This recommendation is forged." Geoff Kuenning geoff@private http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Tue, 28 Oct 2003 23:31:25 GMT From: Paul Robinson <postmaster@private> Subject: Paying employees is not rocket science WBIG radio reported Friday that there was a protest by employees of the Prince George's County [Maryland] School District over payroll problems. The School District has installed a new computer system and apparently is unable to generate payroll checks for quite a number of employees including school bus drivers. This is also causing problems with their health insurance as well. Some of the employees report that they have not been paid since the start of the school year. A School District spokesperson reportedly said they are working with Oracle to find where the problem is. My own comment is that something is really strange here. I used to do payrolls myself, by hand. Generally you do them by computer because it's cheaper than using lots of clerks and because it scales better. But as this article's title noted, payrolls are not some arcane subject, the method to do them is pretty much cut and dried and has been probably since the 1970s or 1980s with the standard accounting rules in effect. The only issue is for the number of employees that the computer system will scale properly. Let's presume PG county has perhaps 30,000 employees at the school district. If it takes an average of 10 seconds - obviously more than it actually takes - to do all required calculations for each check, such as what deductions, what payments, and how salary is computed, then they need 300,000 seconds to calculate payroll, or roughly about 84 hours. Split this onto 10 PCs and it takes 1 day. Probably 4 hours on a mainframe. Basically the most labor intensive part of this is keeping the laser printers full of check stock. There's something wrong with the picture here. ------------------------------ Date: Mon, 03 Nov 2003 11:04:59 -0800 From: Adam Abrams <adamabrams@private> Subject: Another victim of the d__n bad-word filter! I tried to register as a user at collectorcartraderonline.com in order to save a search. Filled out everything, clicked "submit", and got this odd message: "This e-mail address has been flagged as inadmissible and you are unable to place an ad." This could mean any number of things ranging from benign (I'd already registered and forgotten about it) to downright unsettling (I'm on some secret government hit list). OK, maybe the second one is unlikely, but it was still disturbing... An e-mail cleared it all up: I'm the latest victim of the "bad word filter". As they put it: "The reason that you are unable to create an account is due to your e-mail address containing a vulgar word that has been flagged by our bad word table." I had to call their toll free line to have an actual human sign me up. While on hold, I studied my e-mail address with fresh and suspicious eyes. It's my full name + provider, "adamabrams@shaw(dot)ca". Even before the days of e-mail, I'd never noticed anything even slightly vulgar about my name. Could it be "bra"? They might have me flagged as a ladies-undergarment fetishist. "rams"? Maybe the L.A. football team has had an obscenely bad season. No, it was "dam". That's right, even _misspelled_ bad words set off the alarm. So I'm also being punished for other people's illiteracy. I guess the RISK is mainly that they'll lose customers due to an overzealous data filter that flags letter combinations that appear in many everyday words. (Turns out the rep entered part of my address incorrectly, but when I logged in to correct my profile, my e-mail triggered the same bad-language flag again! OK... I give up.) ------------------------------ Date: Mon, 3 Nov 2003 07:08:12 -0800 From: Rob Slade <rslade@private> Subject: REVIEW: "High Integrity Software", John Barnes BKHISTSA.RVW 20030913 "High Integrity Software", John Barnes, 2003, 0-321-13616-0 %A John Barnes %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2003 %G 0-321-13616-0 %I Addison-Wesley Publishing Co. %O 416-447-5101 fax: 416-443-0948 800-822-6339 bkexpress@private %O http://www.amazon.com/exec/obidos/ASIN/0321136160/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321136160/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321136160/robsladesin03-20 %P 430 p. + CD-ROM %T "High Integrity Software: The SPARK Approach to Safety and Security" Once upon a time, a group set out to build a language which would allow you to write programs that could be formally verified. Formal analysis and proof can be used to determine that a program will work the way you want it to, and not do something very weird (usually at an inopportune time). First came the attempt to build the Southampton Program Analysis Development Environment (or SPADE) using a subset of the Pascal programming language. When it was determined that Pascal wasn't really suitable, research was directed to Ada, and the SPADE Ada Kernel, or (with a little poetic licence) SPARK, was the result. SPARK can be considered both a subset and extension to Ada, but is best seen as a separate language in its own right. SPARK forbids language structures such as the infamous GOTO statement of Fortran and BASIC (which cannot be formally verified). Support for some object- oriented features has been included in SPARK, but not for aspects like polymorphism which would make formal proof problematic. A great deal of the security of SPARK lies in the idea of contracts and the use of data specifications (usually referred to as interfaces) that prevent problems such as the unfortunately all-too-ubiquitous buffer overflow. Part one is an overview of the background and features of SPARK. Chapter one reviews some of the problems of unproven software, and the major components of SPARK. Support for the formal proof functions, such as abstraction (the elimination of details not essential to the fundamental operation of the concept or function) are discussed in chapter two. The various analysis tools are listed in chapter three. Part two outlines the SPARK language itself. Chapter four describes the structure of SPARK and the lexical items it contains. Language elements are covered in chapters five, six, and seven, successively dealing with the type model and operators, control and data flow, and packages and visibility (local, global, etc.) which also reviews the object-oriented aspects of SPARK. Interfacing of the various parts of SPARK, and also of SPARK and other languages, is in chapter eight. Part three looks at the various analytical utilities in SPARK and the proof process. Chapter nine concentrates on the main Examiner tool. A mathematical discussion of data flow analysis, in chapter ten, is not necessary to the operation of SPARK, but provides background and explanation. Verification, and the instruments that support it, are reviewed in chapter eleven. Chapter twelve examines the rather vague practice of design, and proposes the INFORMED (INformation Flow Oriented MEthod of Design) process, although it seems to be limited to some admittedly useful principles. A list of similar precepts makes up the eponymous programming "Techniques" of chapter thirteen. Chapter fourteen retails a number of case studies of the possible use of SPARK for various applications: the simpler ones also contain source code. Both the writing in the book, and the explanations of SPARK, are clear. Formal methods of architecture and programming are not well understood, and this text does provide some justification for the exercise, although more evidence and support would be welcome. I recommend this work not only to those interested in more secure applications development, but also to those needing more information about formal methods in composition and system architecture. copyright Robert M. Slade, 2003 BKHISTSA.RVW 20030913 rslade@private slade@private rslade@private victoria.tc.ca/techrev/mnbksc.htm sun.soci.niu.edu/~rslade/secgloss.htm ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to <risks-request@private> with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@private . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address <x@y>" ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 23.01 ************************
This archive was generated by hypermail 2b30 : Fri Nov 07 2003 - 19:54:10 PST