RISKS-LIST: Risks-Forum Digest Thursday 15 April 2004 Volume 23 : Issue 32 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/23.32.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Republicans walk out of Federal hearing on voting machines, Lynn Landes USB "square" plugs (Henry Baker) Re: Who's in charge of the e-mail virus war ... (Steve Summit) Radar guns, again (Adam Shostack) Wireless hacking (NewsScan) Citibank data compromised without using it? (Art Mellor) Re: Chinooks again (Peter B. Ladkin) REVIEW: "Ethics and Technology", Herman T. Tavani (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 15 Apr 2004 12:02:17 EDT From: VoteFraud2@private Subject: Republicans walk out of Federal hearing on voting machines, Landes Republicans Walk Out Of Federal Hearing On Voting Machines, While Some Civil Rights Groups Support "Paperless" Elections by Lynn Landes www.dissidentvoice.org April 13, 2004 http://www.dissidentvoice.org/April2004/Landes0413.htm As the battle over voting machines rages across the country, the U.S. Commission on Civil Rights met on 9 Apr 2004, to examine the "Integrity, Security and Accessibility in the Nation's Readiness to Vote." Two scientists and four representatives of civil rights organizations were invited to brief the Commission. But, before the panelists had a chance to share their views, three Republican commissioners and one (notably conservative) Independent commissioner walked out, ostensibly over a personnel dispute. But, others are not so sure. It appears that voting technology is a topic that the Republican leadership wants to tightly control. It is without doubt that Republicans own most of the companies that manufacture, sell, and service voting machines. And President Bush and the Republican Congress appear determined to control and limit oversight of the elections industry. The Bush Administration has stacked the Election Assistance Commission with supporters of paperless voting technology, while the National Institute of Standards and Technology's (NIST) got walloped with a $22 million budget cut in fiscal 2004, which means that NIST will have to cut back substantially on its cyber security work, as well as completely stop all work on voting technology for the Help America Vote Act. With no mandatory federal standards or certification in place and no funding available, the Bush Administration and Republican-controlled Congress have ensured that their friends in the elections industry maintain control of voting technology and, in effect, election results. So, at Friday's hearing, Republican members of the Commission of Civil Rights decided that the issue of voting -- the lynchpin of democracy -- should take a back seat to employee contract buyouts. Chairperson Mary Frances Berry, a Professor of History and Adjunct Professor of Law, at the University of Pennsylvania, decided to soldier on with the hearing. And that's when the second big disappointment of the hearing became apparent. Some of America's largest civil rights organizations have lined up with the Republicans on this subject. They support 'paperless' voting technology. No fuss, no muss. They are: Meg Smothers, Executive Director of the League of Women Voters of Georgia, Wade Henderson, Executive Director of the Leadership Conference on Civil Rights, Jim Dickson, Vice President, American Association of People with Disabilities, and Larry Gonzalez, Director, National Association of Latino Elected and Appointed Officials. Only one panelist at Friday's hearing spoke out against paperless elections, Dr. Rebecca Mercuri, one of the nation's leading experts on computer voting security. It's a familiar muddle for Mercuri. Last year she was the only election official kicked out of the annual conference of the International Association of Clerks, Recorders, Election Officials, and Treasurers (IACREOT). The complaint was that she wasn't really an election official, which she really was. So, it was perverse justice that at Friday's hearing Mercuri found herself the only panelist invited in to defend the voter's right to verify their own paper ballot. Make that, "alleged" ballot. Since a machine-processed ballot can only produce circumstantial evidence of the voter's intent. There was no one at the hearing to represent the point of view that only voters have the right to vote, not machines; that only voters can produce real evidence of their own intent, not machines; and that with voting machines there is no effective ability to discover vote fraud, no ability to enforce the Voting Rights Act, no real integrity or security to the voting process, at all. The hearing was a replay of many meetings this writer has attended on the subject of voting machines. The focus was on regaining the voters' trust and confidence in voting machines, while blaming poll workers for machine "glitches" and malfunctions, and blaming the public for not being computer savvy. The overall request of the panelists was for increased education of poll workers and the public. Jim Dickson continued to insist that the blind could not vote without touchscreen machines, despite the fact that the paper ballot template with an audiocassette (a combination that is used in Rhode Island, Canada, and around the world), is a simpler and easier solution. As I have written in previous columns, if election officials want a fast ballot count, they can limit the size of the voting precincts or increase the number of election officials. If more elections officials are needed they can be drafted into public service as is done all year around for jury duty. Likewise, voters who don't understand English could order ballots in their own language in advance of an election. Then there was the incredulous argument put forward that voting machines save money, as reports filter in that some communities already need to replace their 3-year-old touchscreen voting machines due to rampant equipment malfunctions, costly millions more in taxpayer dollars. Most of the panelists insisted to Commission members that paperless touchscreen technology is the best performing voting system. But, how could they know? And performing at what? Accuracy, accessibility, vulnerability? What about performing under the U.S. Constitution and the law? Incredibly, there has been no comparative study conducted of all voting systems on any level. The lack of comprehensive studies or standards is an issue that the General Accounting Office (GAO) complained about in an October 2001 report. The GAO report states, "Voting machines do not have effective standards...The standards are voluntary; states are free to adopt them in whole, in part, or reject them entirely." Forgetting for a moment about the Constitutional issue, even if there was a comprehensive technical analysis of all voting systems, it is "vulnerability" -- the ease at which votes can be manipulated or lost -- that should trump concerns about accuracy and accessibility. Let's just assume that picking up the phone and calling-in our votes was the most accurate and accessible way to vote. Can anyone reasonably argue that it would be a secure voting method? Logic dictates that even if lots of people incorrectly fill out their ballots and lots of election officials incorrectly count up the ballots, the ability to move massive numbers of votes through technology (whether deliberately or by accident), cannot compare to simple ballot box stuffing or similar petty election crimes. Even when we do look at the limited studies done on technical performance (overvotes and undervotes), voting machines take a back seat to hand marked, cast, and counted paper ballots. The latest Massachusetts Institute of Technology (MIT) study actually puts hand counted paper ballots at the top of the list for voting system performance for overvotes and undervotes. "The difference between the best performing and worst performing technologies is as much as 2 percent of ballots cast. Surprisingly, (hand-counted) paper ballots -- the oldest technology -- show the best performance." This is the finding of two Massachusetts Institute of Technology (MIT) political science professors, Dr. Stephen Ansolabehere and Dr. Charles Stewart III, in a September 25, 2002 study entitled, Voting Technology and Uncounted Votes in the United States. This study was an update of a previous CalTech/MIT study. Some of the panelists misrepresented the results of the California Recall election, once again claiming that touchscreens performed the best, when in fact, they did no such thing. Dr. Mercuri, who has extensively studied that particular election, says, "Essentially, what the California Recall Election showed was that it was not the type of (voting) system (that matters), in other words, DREs(direct recording electronics)/touchscreen, optical scan, or punchcard, but rather the models within each of the types that could be either good or bad. For example, the second best performing system in terms of residual votes (undervotes or overvotes) was actually one of the punchcard systems. But, (it was) the type that sucks the chad out rather than leaves it hanging there. Even within particular systems, it (performance) could also be good or bad. For example, the Diebold touchscreen, which out-performed all of the systems in the yes/no California Recall question, was the eighth worst in the candidates selection. This demonstrates that it is inappropriate to characterize an entire family of systems, or even a particular system, as good or bad just on the basis of their type. Further research has been needed for a long time on improving the usability of voting systems, but to date, funding has been lacking in comparison with the purchasing allocations." Again, it doesn't take a PhD in computer science to conclude that vote fraud or system failure in a machine-free election simply cannot compare to the unlimited damage technology can do to the voting process. It is really a question about how risk should be managed. Should the risk of election fraud or system failure be spread out among millions of voters and thousands of poll watchers, or should it be concentrated in the hands of a few technicians - otherwise known as "putting all your eggs in one basket"? On a personal note, having been informed by the Commission staff a few days before the hearing about the composition of the panel, that the deck was going to be stacked against voters and in favor of machines, I called and offered to testify. As one of the lead journalists covering this subject, I thought my contribution would help round out the testimony. Although my offer was declined, a member of the Commission indicated that there might be room for me at the next meeting, on May 17th. I sure hope so. Apparently, that's when the voting machine manufacturers will be speaking. Fundamentally, it doesn't really matter if corporations or government officials control voting technology. The real issue is that 99.4% of Americans aren't really voting, machines are. But, if C-SPAN covers the hearing, perhaps the public will finally get the picture - that voting machines aren't some passive technology designed to 'assist' with the voting process. Instead, voting machines constitute a grab for power, a grab for our votes. Having voting machine manufacturers appear before the Commission could put a face on the farce that is voting in America today. And I'd sure like to be there to help that process along. Lynn Landes is the publisher of EcoTalk.org and a news reporter for DUTV in Philadelphia, PA. 1-215-629-3553 lynnlandes@private ------------------------------ Date: Thu, 15 Apr 2004 08:49:58 -0700 From: Henry Baker <hbaker1@private> Subject: USB "square" plugs I just discovered to my dismay that the USB "square" plug _does_ plug in backwards, although it requires a bit more pressure. I also notice that some manufacturers install the female connectors backwards, so that the roundy side is down/back, rather than up/front. Unless you actually look at the plug before you put it in, this arrangement would lead you to install the plug backwards. So far, I haven't actually destroyed any equipment, but have cause a large number of reboots until I discovered what the problem was. BAD USER INTERFACE! ------------------------------ Date: Tue, 13 Apr 2004 12:54:12 -0400 From: Steve Summit <scs@private> Subject: Re: Who's in charge of the e-mail virus war ... (Summit, RISKS 23.30) In RISKS-23.30, I mused about whether easily clicked-to-execute attachments had reached some kind of irreversible inevitability, and inquired of RISKS readers whether we could do anything about the resulting virus infestation. The response was gratifyingly quick and voluminous, and based on it I can state a conclusion which is not quite so gratifying: there isn't much consensus. Several readers argued that combinations of existing strategies -- disallowing certain file types, scanning for known virus patterns, correlating sending users and systems with DNS records, etc. -- are effective. Some observed that it's an economic and/or political problem as well as a technical one, and suggested that legal remedies might be required. Several more did agree that clickable executable attachments are the root of the e-mail virus problem and that easy clickability for these attachments must be specifically removed. Others missed that point and objected that users wouldn't tolerate losing *all* their clickable attachments (i.e. including the non-executable, pure data ones). But still other readers advocated getting rid of all non-text attachments, clickable or not. Perhaps the largest class of responses pointed out various reasons why disabling easily-clickable .exe attachments won't halt *all* e-mail viruses. Some virus recipients will still be tricked into installing (or doing whatever it takes to authorize) an executable attachment and running it anyway. Some non-directly-executable data types (such as Word documents and Excel spreadsheets) can contain macros which can carry viruses. In light of these difficulties, some readers conclude that the problem is insoluble, while others place their hopes in considerably more elaborate proposals, such as strong sender authentication, or safe "sandboxes" for untrusted code, or tiered capability-based execution environments, or a complete overhaul and replacement of the entire SMTP-based e-mail infrastructure. My purpose here was not to enter any debates about all the various proposals which have been floated, but I will make the observation that we can't afford to sit on our hands waiting for some evanescently perfect 100% solution which either hasn't been invented yet, or would take years to deploy. The e-mail virus problem is *big*, so if we've got any workable solutions that would "only" address 90% of the problem, those would be well worth pursuing soon; they'd be an awful lot better than doing nothing. In light of the varied responses I received, I'm less sure than I was that focusing on easy clickability of executable attachments is the obvious short-term approach. But in closing, I must acknowledge David F. Skoll and Erling Kristiansen, who both made the excellent point that, quite aside from any technical solutions, we desperately need to work harder at educating people that e-mail viruses are *not* inevitable, that they neither need to be put up with nor merely reacted to. It *is* possible to eradicate them, mostly if not completely, proactively rather than reactively, and without rendering e-mail (or even attachments) useless in the process. Perhaps if more users can be made aware of these facts, they'll insist that the responsible vendors do something real, comply with some of these suggestions, to eliminate the glaring, unnecessary, not-inevitable-after-all vulnerabilities. ------------------------------ Date: Sat, 10 Apr 2004 09:15:04 -0400 From: Adam Shostack <adam@private> Subject: Radar guns, again A Belgian motorist received a speeding ticket for traveling in his Mini at three times the speed of sound. The ticket claimed the man had been caught driving at 3379 kph (2,100 mph) - or Mach 3 speed - in a Brussels suburb according to Belgian newspaper La Derniere Heure. The police claim that human error was to blame for sending out the ticket and have since apologized to the man and promised to fix the radar. (Interestingly, different newspapers report the ticket as being different speeds.) http://news.bbc.co.uk/2/hi/americas/3613715.stm http://www.iol.co.za/index.php?click_id=29&art_id=iol1081526736236M522&set_id=1 http://www.dhnet.be/ (but I can't find the original article) [Suppose they had put a bounds check that was somewhat greater than maximum that any vehicle was capable of attaining, thus preventing the system from issuing tickets for such obviously ridiculous speeds. Unfortunately, then if the radar was the culprit rather than the software, the real speedsters would all get tickets for going exactly the same default speed of the bounds check. PGN] [So the questions are: 1) what are the failure modes of these things, and 2) how often does the unit clock cars at mach 3? Is it easier to filter the failure, or fix it? Are failures often enough to bother fixing, or should we accept a silly-season story once in a while? Adam] ------------------------------ Date: Tue, 13 Apr 2004 06:54:28 -0700 From: "NewsScan" <newsscan@private> Subject: Wireless hacking Pointing to a rise in wireless hacking, security expert Joshua Wright of the SANS Institute warns: "All the money you've spent to protect your corporate network is moot if someone hacks your laptop at a wireless access point." And Don LeBeau of security firm Aruba Wireless Networks says that at least one Silicon Valley company suspected it was the target of corporate espionage when it found an unauthorized device surreptiously establishing a hot spot from a conference room. Shai Guday, group program manager for wireless at Microsoft, urges companies to take the wireless hacking threat seriously: "Wireless is happening. They can't bury their heads in the sand. Wireless is great, but security is more important." [*USA Today*, 13 Apr 2004; NewsScan Daily, 13 April 2004] <http://www.usatoday.com/tech/wireless/data/2004-04-13-hackers-wireless_x.htm> ------------------------------ Date: Sat, 10 Apr 2004 10:30:06 -0400 From: Art Mellor <art@private> Subject: Citibank data compromised without using it? The other day I got a call from the Fraud Alert department at Citibank. When I called, they informed me that my Citibank card had been compromised when data was stolen from BJs (a big discount club like CostCo and Sam's). They noted I had probably heard about this in the news (which I had). They said they were cancelling my card for my protection, and issuing me a new one. While I am a customer of BJs, I have never used my Citibank card there. I exclusively use my Discover card. I asked how my credit card number could be at BJs if I have never used it there. The service rep said that maybe it was some other info that had been taken, such as my birth date, SSN, etc. When I asked how issuing me a new card would protect me given that "they" already had my sensitive information, I was reprimanded for not appreciating them doing all they could to protect my identity. I told them to cancel the card, but not issue a new one - I'd use another bank. I called Discover to ask if my information had been compromised, and according to them, my information was not on the BJs list of compromised accounts. So what's going on here? Is there really some information that isn't the card number that can compromise the card and by getting a new card make me safe? Is Citibank pulling a scam to get me a new card with undoubtedly a new set of conditions? Did Citibank share information including my card number with BJs for some reason? Art Mellor : Support the Cure for MS : http://www.scumpa.com/~art/ art@private : http://www.bostoncure.org : 617/899-2360 ------------------------------ Date: Sat, 10 Apr 2004 07:44:37 +0200 From: "Peter B. Ladkin" <ladkin@private-bielefeld.de> Subject: Re: Chinooks again (Youngman, RISKS-23.31) Neil Youngman said in RISKS-23.31, concerning the recent purchase by the UK MoD of Chinook helicopters, that are sitting on the ground because of severe restrictions on flight, that The helicopters were supposed to be in service 6 years ago, but problems with radar systems, mean they can not fly in cloud. This is an incorrect attribution of cause. As far as I know, there are no indications of actual system problems. The cause of the flight restrictions may be found in paragraphs 3.39-3.43 of the UK National Audit Office report "Battlefield Helicopters", 7 April 2004, available from http://www.nao.org.uk/publications/nao_reports/03-04/0304486.pdf The report says that problems with the Chinook HC3 procurement are fourfold: 1. There is a certification problem with the software. 2. The contract did not specify that all the military requirements should be fulfilled. It was assumed that certain capabilities could be retrofitted. They haven't all been, yet. 3. The HC3 has a unique configuration, necessitating additional testing. 4. Capabilities need to be enhanced to deal with a changing operational environment. The NAO estimates an in-service date of at least mid-2007 for a machine at least as capable as the current HC2/2a variant used by British forces, providing additional funding (about 50% of procurement costs) is found. The procurement contract apparently did not specify that the system software documentation and code shall be analysed according to military procurement standards on software integrity. It was apparently thought that an adequate safety case could be constructed on the basis of similar systems procured by the Royal Netherlands Air Force. This turned out not to be so. There are two main reasons why an adequate safety case cannot easily be constructed retrospectively. One is restricted access to the source code and other development data. The other is that "legacy software is not amenable to the techniques required to confirm the robustness of software design". It is going to cost a lot and there is no guarantee of success. "Consequently, the Chinook HC3 is currently restricted to day/night flying above 500 feet in weather clear of cloud, and where the pilot can fly the aircraft solely using external reference points without relying on the flight displays. These restrictions mean that the helicopters cannot be used other than for limited flight trials." (NAO) Thanks to David Tombs, of the University of Queensland, for the reference. Peter B. Ladkin, University of Bielefeld, http://www.rvs.uni-bielefeld.de ------------------------------ Date: Mon, 12 Apr 2004 08:09:21 -0800 From: Rob Slade <rslade@private> Subject: REVIEW: "Ethics and Technology", Herman T. Tavani BKETHTCH.RVW 20031025 "Ethics and Technology", Herman T. Tavani, 2004, 0-471-24966-1, U$56.80 %A Herman T. Tavani %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2004 %G 0-471-24966-1 %I John Wiley & Sons, Inc. %O U$56.80 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471249661/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471249661/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471249661/robsladesin03-20 %P 344 p. %T "Ethics and Technology" The preface states that this is a textbook on ethical issues in cyber (computer and possibly communications) technology for computer science, philosophy, sociology, and library science students. Chapter one is an introduction to cyberethics, providing the concepts, perspectives, and a methodological framework. There is more detailed examination of the structure of, and practical approach to, ethics than in any other computer ethics book I've reviewed. The questions at the end of the chapter are mostly simple, but some call for analysis and judgment. Establishing a moral system, in chapter two, contemplates using ethics to review consequences, dealing with duty-, contract-, and character-based theories. The material is detailed but, disappointingly after the good start in chapter one, breaks no new ground. Critical thinking, logical argument, and the problems with fallacious arguments are considered in chapter three. Professional ethics are in chapter four. Chapter five has a basic but fairly complete review of privacy, better than some books on the topic (although it does retail the data mining/diapers and beer myth). Chapter six is a general introduction to security, with almost no mention of ethics. Cybercrime, in chapter seven, buys into the myth of the "evil teenage genius," and, again, has almost no mention of ethics. Chapter eight's discussion of intellectual property deals with ethics of copyright and related concepts, but is not as rigorous as chapter one. Regulation of cyberspace, in chapter nine, is similar. There is fairly standard coverage of equity, access, and employment, in chapter ten, and community and identity, in eleven. One could have hoped for a book that delivered on the promise of chapter one, but, even without, this is a worthwhile addition to the computer ethics bookshelf. copyright Robert M. Slade, 2003 BKETHTCH.RVW 20031025 ====================== (quote inserted randomly by Pegasus Mailer) rslade@private slade@private rslade@private http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 5 Apr 2004 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to <risks-request@private> with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@private . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address <x@y>" ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i] <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ------------------------------ End of RISKS-FORUM Digest 23.32 ************************
This archive was generated by hypermail 2b30 : Thu Apr 15 2004 - 16:29:07 PDT