RISKS-LIST: Risks-Forum Digest Thursday 18 December 2003 Volume 23 : Issue 07 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/23.07.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Remote-controlled trains (Bill Tolle) Over-reliance on PowerPoint leads to simplistic thinking (NewsScan) Japan's Mars probe goes off course (PGN) Risk of a test message: Heated Training Session (Patrick Lincoln) Voter information up for grabs (NewsScan) Voting machine maker dinged (Lillie Coney) Convicted felons worked for electronic voting companies (Susan Marie Weber) Re: Diebold ATMs hit by Nachi worm (Drew Dean) Re: Why have electronic voting machines at all? (Russ Cooper) Proper understanding of "The Human Factor" (Don Norman) April Fool's e-mail freed detained kidnapper (Lillie Coney) This number's ready for prime time (Mark Brader) Correction for RISKS-23.06 (Trevor Zacks) Free lunch? Or double-or-nothing? (Rob Slade) REVIEW: "Effective Security Management", Charles A. Sennewald (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 08 Dec 2003 16:10:19 -0600 From: Bill Tolle <Bill3849094@A-Buyers-Realty.com> Subject: Remote-controlled trains A railroad worker was struck and killed by one of the locomotives he was operating by remote control from the Union Pacific rail yards in San Antonio, TX. [Source: AP item, *Houston Chronicle*, 8 Dec 2003] http://www.chron.com/cs/CDA/ssistory.mpl/metropolitan/2279855 ------------------------------ Date: Mon, 15 Dec 2003 08:42:21 -0700 From: "NewsScan" <newsscan@private> Subject: Over-reliance on PowerPoint leads to simplistic thinking NASA's Columbia Accident Investigation Board has fingered the agency's over-reliance on Microsoft PowerPoint presentations as one of the elements leading to last February's shuttle disaster. The Board's report notes that NASA engineers tasked with assessing possible wing damage during the mission presented their findings in a confusing PowerPoint slide so crammed with bulleted items that it was almost impossible to analyze. "It is easy to understand how a senior manager might read this PowerPoint slide and not realize that it addresses a life-threatening situation," says the report. NASA's findings are echoed in a pamphlet titled "The Cognitive Style of PowerPoint," authored by information presentation theorist Edward Tufte, who says the software forces users to contort data beyond reasonable comprehension. Because only about 40 words fit on each slide, a viewer can zip through a series of slides quickly, spending barely 8 seconds on each one. And the format encourages bulleted lists -- a "faux analytical" technique that sidesteps the presenter's responsibility to link the information together in a cohesive argument, according to Tufte, who concludes that ultimately, PowerPoint software oozes "an attitude of commercialism that turns everything into a sales pitch." [*The New York Times*, 14 Dec 2003; NewsScan Daily, 15 December 2003] http://partners.nytimes.com/2003/12/14/magazine/14POWER.html ------------------------------ Date: Tue, 9 Dec 2003 13:48:28 PST From: "Peter G. Neumann" <neumann@private> Subject: Japan's Mars probe goes off course Nozomi ("hope"), Japan's first interplanetary explorer, went off course in attempting to orbit Mars, culminating a five-year journey. Efforts to salvage the mission have failed and the probe has almost run out of fuel, although the probability of a collision with Mars has reportedly been reduced from 1% to 0%. http://www.cnn.com/2003/TECH/space/12/09/japan.mars.ap/index.html ------------------------------ Date: Thu, 18 Dec 2003 07:34:38 -0800 From: Patrick Lincoln <lincoln@private> Subject: Risk of a test message: Heated Training Session According to an advisory issued on 17 Dec 2003 by the National Weather Service, "... the Earth has left its orbit and is hurtling towards the sun." The post on the National Oceanic & Atmospheric Administration's Web site continued: "Unusually hot weather will occur for at least the next several days as the Earth draws ever nearer to the sun. Therefore, an excessive heat watch has been posted." The release was a test message, erroneously posted by during a training session. The statement has since been removed. http://www.informationweek.com/story/showArticle.jhtml?articleID=17000138 ------------------------------ Date: Thu, 11 Dec 2003 10:23:45 -0700 From: "NewsScan" <newsscan@private> Subject: Voter information up for grabs Unbeknownst to most citizens, state officials are selling their voter-registration information to political candidates, nonprofit groups and data collectors who then combine it with census data, purchasing histories, credit reports and magazine subscription lists in order to fine-tune their messages or marketing pitches to specific constituencies, such as pickup truck drivers who subscribe to "Soldier of Fortune" or SUV drivers who buy lacy underwear at Victoria's Secret. And while some states limit sales to political groups, 22 states lack any criteria restricting who may purchase the information. "Voters fill out these forms in good faith, thinking the information they're providing is needed for the purpose of administering elections," says California Voter Foundation founder Kim Alexander. "Then they get phone calls or a knock on the door from campaign strangers who have a list of their personal data." Alexander says the information requested by many states, such as Social Security numbers and mother's maiden names, could easily be used for identity theft. The situation has become especially troubling since Congress passed the Help America Vote Act last year, which required that states develop a centralized, statewide voter-registration database, making it possible for third parties to collect huge amounts of data very easily. Alexander says the reason there's been no outcry against the practice is that "the people who ultimately decide how voter data should be allowed to be used are the politicians… Politicians need to rein in the laws, yet they're the biggest consumers of data." [Wired.com, 11 Dec 2003; NewsScan Daily, 11 Dec 2003] http://www.wired.com/news/business/0,1367,61507,00.html?tw=wn_tophead_2 ------------------------------ Date: Thu, 18 Dec 2003 09:53:56 -0500 From: Lillie Coney <lillie.coney@private> Subject: Voting machine maker dinged California Secretary of State Kevin Shelley has said that Diebold Elections Systems could lose the right to sell electronic voting machines in California. State auditors found that Diebold distributed software versions in 17 counties that had not been certified by the state, and that in 3 of those counties (including Los Angeles County) the systems had not been approved by the Federal Election Commission. [Source: Voting machine maker dinged, Auditor says software wasn't approved Elise Ackerman, *San Jose Mercury News*, 17 Dec 2003; PGN-ed] [And as noted here on various occasions, the FEC standards are very weak to begin with. Even the California certification process does not require any MEANINGFUL assurance that electronic machines record cast votes correctly. PGN] ------------------------------ Date: Tue, 16 Dec 2003 22:30:58 -0800 From: "SusanMarieWeber" <susanmarieweber@private> Subject: Convicted felons worked for electronic voting companies Voter advocate Bev Harris alleged Tuesday that managers of a voting-machine subsidiary of Diebold Inc. included at least five convicted felons, among them a cocaine trafficker, a man who conducted fraudulent stock transactions, and a programmer jailed for falsifying computer records. The programmer, Jeffrey Dean, wrote and maintained a proprietary code used to count hundreds of thousands of votes as senior vice president of Global Election Systems Inc. Ohio-based Diebold purchased GES in January 2002. According to a court document released before GES hired him, Dean served time in a Washington correctional facility for stealing money and tampering with computer files in a scheme that "involved a high degree of sophistication and planning." In January, Senator Barbara Boxer, D-Calif., will submit a bill requiring stringent background checks on all electronic voting company employees who work with voting software. The bill, which Boxer plans to introduce in January, would toughen security standards for voting software and hardware, and require touch-screen terminals to include printers and produce paper backups of vote counts by the 2004 presidential election. [Source: Critics: Convicted felons worked for electronic voting companies Rachel Konrad, Associated Press, 16 Dec 2003; PGN-ed] http://www.bayarea.com/mld/mercurynews/news/local/7507193.htm Also see http://www.wired.com/news/evote/0,2645,61640,00.html [And this story does not even mention Phil Foster, employee of Sequoia Pacific, indicted for vote fraud, who was working in the back rooms during the elections of Riverside County, November, 2000. smw] [... or a bunch of other felony convictions related to voting. Of course the risks of undetected errors and malicious misdeeds in voting machines have been discussed for years in RISKS. It is encouraging that more people are beginning to understand the risks. PGN] ------------------------------ Date: Tue, 09 Dec 2003 15:50:42 -0800 (PST) From: Drew Dean <ddean@private> Subject: Re: Diebold ATMs hit by Nachi worm (Cooper, RISKS-23.06) I find Russ Cooper's contribution to be symptomatic of the security community's world view: security über alles. Yes, it may be more secure if an ATM always initiates contact with the outside world, but it has major impacts in manageability, and also opens up new threats. Consider the following scenario: There's an ATM, indirectly connected to the Internet, sitting in a shopping mall. It's 3am (local time -- always true somewhere in the world), the mall is locked up tight, and there's a worm on the loose. Said worm is programmed to look for vulnerable ATMs, and cause them to dispense all the cash they hold. It would be a Bad Thing(tm) if the mall opens the next morning with cash scattered all over the floor. Observe that sending a service technician out is extremely expensive, and logistically difficult/impossible. It's both faster and cheaper for the bank's data center to remotely patch the ATMs from a central location. Now, you can argue that the ATM should be polling the data center for patches, but that opens up an equivalent vulnerability: once the polled machine is compromised, it sends the patch(es) of the attacker's choice to the ATM, and we end up in the same situation. Of course, if the ATM is compromised, it might stop listening for updates. Partial failure of systems is always difficult to design for, and this example is no different. I think a fair summary is that the real world is a messy place, with many different threats, and while sound bites may be satisfying to pronounce, they rarely solve the problem. Drew Dean, Computer Science Laboratory, SRI International [Similar comment from Ray Blaak. PGN] ------------------------------ Date: Wed, 10 Dec 2003 05:09:05 -0500 From: "Russ" <Russ.Cooper@private> Subject: Re: Why have electronic voting machines at all? (RISKS-23.06) Maybe I missed the comment, but it seems to me that one of the most compelling reasons for e-voting, getting more people out to vote, is being missed in these threads. Maybe voter turnout in the States is always >50%, it isn't here (Canada). If an eligible voter can sit at home, take a couple of minutes, and register their preference in an election, there's a belief that a lot more people will vote. I fail to see how anything else could be as likely to increase voter participation. I'm not minimizing the risks or cost involved in making such a scheme work securely, but in a country such as ours where people are broadly distributed, reducing the need for people to go to a polling station is highly desired. Russ - NTBugtraq Editor ------------------------------ Date: Thu, 11 Dec 2003 12:15:00 -0600 From: "Don Norman" <don@private> Subject: Proper understanding of "The Human Factor" [Warning: This is not a posting of some news item. It is an essay -- well, a lecture -- triggered by two recent RISKS postings, particularly because the second posting completely misunderstood the purpose of the first and didn't bother to read the book which was being recommended. And exhibited an attitude on the part of designers that is the biggest risk of all risks -- because it is the kind of attitude that causes the very problems the RISKS group is designed to eliminate. DN] If we assume that the people who use technology are stupid ("Bubbas") then we will continue to design poorly conceived equipment, procedures, and software, thus leading to more and more accidents, all of which can be blamed upon the hapless users rather than the root cause -- ill-conceived software, ill-conceived procedural requirements, ill-conceived business practices, and ill-conceived design in general. This appears to be a lesson that must be repeated frequently, even to the supposedly sophisticated reader/contributor to RISKS. It is far too easy to blame people when systems fail. The result is that over 75% of all accidents are blamed on human error. Wake up people! When the percentage is that high, it is a signal that something else is at fault -- namely, the systems are poorly designed from a human point of view. As I have said many times before (even within these RISKS mailings), if a valve failed 75% of the time, would you get angry with the valve and simply continual to replace it? No, you might reconsider the design specs. Yo would try to figure out why the valve failed and solve the root cause of the problem. Maybe it is underspecified, maybe there shouldn't be a valve there, maybe some change needs to be made in the systems that feed into the valve. Whatever the cause, you would find it and fix it. The same philosophy must apply to people. Item. I predict that the municipal water and wastewater treatment industry is in for a series of serious accidents. Why? Because of postings like that of Dave Brunberg (RISKS-23.06). He was triggered by Mike Smith's recommendation for the book "The Human Factor" (RISKS-23.04), but without bothering to read the book. So he tells us of the "Bubba factor" in his industry, namely, the belief that operators (named "Bubba") are characterized by stupidity, laziness, and general ineptness. Brunberg complains that he must make his software work despite the incompetence of his operators: "you walk a very fine line between making the plant so inflexible that operators cannot respond to unforeseen problems and giving Bubba a little too much latitude." No wonder we continue to have problems. It is this attitude of developers that cause the very problems they complain about. The book, the Human Factor, is in fact an excellent argument against Brunberg's point of view. In it, the author (Kim Vicente) points out that procedural demands, business practices that reward productivity and punish safety, and the inability of system designers to understand the real requirements on the plat operators are what leads to failure. Poor Bubba is yelled at by his bosses for slowing up production, penalized if he raises questions about safety. If he follows procedures, he can't meet production requirements. If he violates them -- which is what everyone is forced to do -- he is punished if an accident occurs. No matter that lots of other Bubbas have warned about that likelihood. Let me also recommend the excellent "Field Guide to Human Error Investigations." Here, the author (Sidney Dekker) points out that the old view of human error is that it is the cause of accidents whereas the new view is that it is a symptom of trouble deeper inside a system. Alas, the "old" view is in actuality the current view, whereas the "new" view is still seldom understood. (The "new" view has only been around for 50 years, so I suppose we need to give it more time.). The Field Guide is about aviation, but it is very applicable to the waste industry as well -- and to hospitals, and emergency crews, and manufacturing plants, and any situation where accidents are being blamed on people. The most serious RISK in all this is that people take the easy way out, blame the operator for incompetence, and then smile smugly from their air-conditioned office, far away from the plant. As long as this attitude persists, we will have bigger and bigger accidents. DISCLAIMER (MILD). My strong recommendation for "The Human Factor" appears on the back jacket of that book and on my website. My equally strong recommendation for the "Field Guide" will appear on my website Real Soon Now. Dekker, S. (2002). The field guide to human error investigations. Burlington VT: Ashgate. Vicente, K. J. (2003). The human factor: revolutionizing the way people live with technology. Toronto: A. A. Knopf Canada. Don Norman, Nielsen Norman Group and Northwestern University norman@private http://www.jnd.org ------------------------------ Date: Thu, 04 Dec 2003 12:42:14 -0500 From: Lillie Coney <lillie.coney@private> Subject: April Fool's e-mail freed detained kidnapper A Homeland department employee's prank e-mail prompted the release of an immigration agency detainee who had been convicted of kidnapping, according to the department's Inspector General. The unidentified detainee turned himself in to Immigration and Customs Enforcement deportation officers two days after his improper release. The employee sent an April Fool's e-mail to 16 ICE detention officers and supervisors advising them that the detainee's citizenship had been established with a Puerto Rican birth certificate, which authorized his release. At the end of the e-mail, the employee wrote, "Now about that bridge I'm selling. April Fools!" Nine minutes later, the employee sent a second e-mail that began by saying, "In case you didn't get to the end of my previous message, here's what really happened today." The second message said that the detainee had been ordered deported to the Dominican Republic. A homeland officer who read the first prank e-mail but did not note the April Fools reference, and did not read the second e-mail, processed paperwork that authorized the detainee's release from a county jail on 2 Apr. [Source: Wilson P. Dizard III, Government Computer News (gcn.com), 28 Nov 2003; PGN-ed] ------------------------------ Date: Tue, 9 Dec 2003 20:14:06 -0500 (EST) From: msb@private (Mark Brader) Subject: This number's ready for prime time (RISKS-23.06) Primes of the form 2-to-the-power-of-P would be *exceedingly* rare. [Yes, ONLY ONE for P>1. PGN] Fortunately, that's not what the New Scientist article actually says. [MINUS ONE was inadvertently omitted from the parenthetical, and has been added to the archive copy. Noted by many of you. TNX. PGN] ------------------------------ Date: 15 Dec 2003 From: Trevor Zacks Subject: Correction for RISKS-23.06 (via Lindsay Marshall) New official self-service litigation system available in England/Wales link is (now) not https://www.moneyclaim.gov.uk/csmco/index.html but http://www.courtservice.gov.uk/mcol/ corrected in the on-line version of the Telegraph at the specified link. [Also corrected in RISKS archives. PGN] ------------------------------ Date: Mon, 15 Dec 2003 13:11:27 -0800 From: Rob Slade <rslade@private> Subject: Free lunch? Or double-or-nothing? Leave your cards in the car when you walk into McQuickFood, lest you end up paying for your neighbour's lunch. (We've already seen this with SpeedPass, have we not?) CREDIT CARDS DO THE WAVE (From NewsScan) MasterCard and American Express have been testing "contactless" versions of their credit cards that use an embedded RFID chip rather than a magnetic strip to store financial data. The cards can simply be waved in front of a reader to complete the purchase. "In some instances it's faster than cash. You're eliminating the fumble factor," says a MasterCard VP. The company plans to roll out its PayPass system next year, beginning in fast food joints and other venues where customers tend to be in a hurry. Forrester Research predicts it will take several years for the contactless cards to go mainstream, citing consumers' security concerns and unfamiliarity with the technology as impediments to change. (AP/Wired.com 14 Dec 2003) http://www.wired.com/news/technology/0,1282,61603,00.html?tw=wn_tophead_7 rslade@private slade@private rslade@private http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Tue, 16 Dec 2003 08:28:19 -0800 From: Rob Slade <rslade@private> Subject: REVIEW: "Effective Security Management", Charles A. Sennewald BKEFSCMN.RVW 20031006 "Effective Security Management", Charles A. Sennewald, 2003, 0-7506-7454-7, U$49.95/C$72.50 %A Charles A. Sennewald %C 225 Wildwood Street, Woburn, MA 01801 %D 2003 %G 0-7506-7454-7 %I Butterworth-Heinemann/CRC Press/Digital Press %O U$49.95/C$72.50 800-366-BOOK fax 800-446-6520 www.bh.com/bh/ %O http://www.amazon.com/exec/obidos/ASIN/0750674547/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0750674547/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0750674547/robsladesin03-20 %P 395 p. %T "Effective Security Management" The preface makes clear that the author's major background is in the field of physical security. This is evident in places throughout the rest of the book, but much of the material is more broadly applicable. The introduction presents a wonderful statement about management, that it is "the ability to create an environment in which other individuals willingly participate to achieve objectives." Part one deals with general security management. Chapter one outlines some principles of organization, and provides an excellent overview of the basics of management. The physical security background shows in, for example, the assumption that demonstrating a "contribution to profits" is relatively straightforward and easy to quantify. The review questions at the end of the chapter are an adequate summary of the material, but provide no more than a simple reading check. Organizational structure, in chapter two, is based on the real world rather than theory. Sennewald notes the difference between formal and informal arrangements, as well as both the good and bad reasons that the two exist. Security's role in the organization emphasizes physical security, but chapter three also addresses non-traditional functions such as training, internal consulting, and executive protection. Chapters four, five, and six deal with the roles of, respectively, the security director, supervisor (emphasizing the chain of command), and employee (mostly stressing personal character and integrity). Part two addresses security personnel management. Chapter seven, on hiring, is reasonable, but fails to provide useful guidance on avoiding common pitfalls in reviewing resumes and interviewing candidates. There is, for example, a heavy reliance on open-ended questions, which often backfire on interviewers since the responses tend to be so different that it makes the difficult task of judging between people even harder. The creation of a job description, in chapter eight, provides good pointers and a helpful outline. There are more complaints about how training is done poorly than suggestions about how to fix the problem in chapter nine. The material on discipline, in chapter ten, is good but not great. In regard to the motivation of employees, Sennewald presents the classic "Theory X and Theory Y" model, but chapter eleven is more concerned with pointing out the disadvantages of punishment and control (X) than with suggesting how to support employees (Y). Chapter twelve, on promotions, repeats many of the points of chapter seven. The vague look at communications, in chapter thirteen, is not necessarily helpful. The classic debate between employment of, or contracting out, security personnel is presented in chapter fourteen. Part three considers operational management. Budgeting, in chapter fifteen, is a good start for those without a financial background, but gets bogged down in specific forms. The basics of risk management (albeit limited to physical security situations) is introduced in chapter sixteen. Some expansion is given in chapter seventeen, but the content is generally duplicated, and I wonder why the chapters were split. Review and audit, renamed the security survey, is important, but chapter eighteen seems to be a not-completely-recycled magazine article. It seems odd to cover office administration, in chapter nineteen, but many physical security officers may have limited office background, so this might be quite useful. The discussion of policy and procedures, in chapter twenty, primarily deals with procedures. Chapter twenty one, on computers and security management, is the longest in the book, but is only a computer literacy article and addresses no specific security applications. Sennewald argues that statistics can be useful, but chapter twenty two does not provide much direction in their manipulation. Part four deals with public relations. A pedestrian selling job for security is in chapter twenty three. The relationship with law enforcement, in chapter twenty four, emphasizes what the police can provide. Chapter twenty five promotes cooperation with those in the same industry and the importance of trade groups, as well as community service. This latter topic is expanded in twenty six. Chapter twenty seven is a very recognizable list of thirty two "jackass traits" for managers, pointing out all kinds of mistakes people can make. How to improve your performance gets less space, and it is hard to know where to draw the line between opposing problems, such as "the Despot" and "The Popularity Kid." Despite specific problems, this book provides some extremely valuable advice for security managers of all kinds, not just the physical security officers at whom it is aimed. copyright Robert M. Slade, 2003 BKEFSCMN.RVW 20031006 rslade@private slade@private rslade@private http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 7 Oct 2003 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to <risks-request@private> with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@private . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address <x@y>" ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 23.07 ************************
This archive was generated by hypermail 2b30 : Thu Dec 18 2003 - 15:19:54 PST