RISKS-LIST: Risks-Forum Digest Monday 8 November 2004 Volume 23 : Issue 59 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/23.59.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: New Standards for Elections (NYT editorial summarized by PGN) Some 2004 voting anomalies (PGN) Bidding up prices on online auctions (NewsScan) Identities stolen in seconds (Timothy L. O'Brien via Monty Solomon) Pirates see video games before paying customers do (NewsScan) Music industry on the wrong course (NewsScan) Cahoot online banking security issue (Nik Barron) Westpac Internet Banking problems (Tim Chmielewski) Banks and their marketing/PR departments (Henk Langeveld) Re: TV emits international distress signal (John Levine) Re: Clocks set back a week too early (Martin Hepworth, Mike Causer) Re: Is Windows up to snuff for running our world? (Ron Bean) Re: Battlefield Robotics are risk to the world public (Geoff Kuenning) Book on malicious cryptography (J.H. Haynes) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 7 Nov 2004 9:45:22 PST From: "Peter G. Neumann" <neumann@private> Subject: New Standards for Elections *The New York Times* lead editorial on 7 Nov 2004 is titled ``New Standards for Elections''. "... the mechanics of our democracy remain badly flawed. From untrustworthy electronic voting machines, to partisan secretaries of state, to outrageously long lines at the polls, the election system was far from what voters are entitled to." Here is my PGN-ed summary of their recommendations: 1. Election day should be a holiday (rather than penalizing employees for having to take time off to vote). 2. Early voting can allow people to vote when it is convenient for them. 3. Voter-verified audit trails, source code accessibility to election officials, spot checks of code on Election Day (as is done in Nevada's slot machines!) 4. Shorter lines at the polls, standards for numbers of voting machines and poll workers. 5. Impartial election administrators, and restrictions on insiders endorsing candidates. 6. Uniform and inclusive voter registration standards. 7. Accurate and transparent voting roll purges. 8. Uniform and voter-friendly standards for counting provisional ballots. 9. Upgraded voting machines and improved ballot design. 10. Fair and uniform voter ID rules. 11. An end to minority vote suppression, disenfranchisement, harassment, dirty tricks. 12. Improved absentee ballot procedures, e.g., downloading absentee ballots from the Internet, but avoiding the ballot-by-scan/fax/e-mail with explicit loss of privacy. The full editorial as well as the entire series can be found at nytimes.com/makingvotescount . ------------------------------ Date: Mon, 8 Nov 2004 16:01:13 PST From: "Peter G. Neumann" <neumann@private> Subject: Some 2004 voting anomalies For those of you interested in following a collection of reported problems more carefully, here are just a few reported anomalies, collected from a variety of sources: * Palm Beach County logged 88,000 more votes than people who had voted in the presidential race. (Teresa LePore of 2000 Butterfly Ballot fame is the County supervisor of elections there.) * A Franklin County Ohio machine error gave Bush 3,893 extra votes in a precinct in Gahanna. The correct totals were 365 for Bush, 260 for Kerry. * In Broward County FL, in balloting for Amendment 4, ES&S software for tabulating absentee ballots began counting BACKWARDS once a total of 32,767 [2^15 - 1, in a signed 16-bit field] votes had been reached in a precinct. When this was discovered, the corrected totals for the precinct went from 166,000 to 240,000, and actually caused the statewide results to be reversed on this amendment. Apparently the same flaw was detected two years ago in the same software, and remained uncorrected. Nick Simicich wondered in a long message to RISKS: Do you suppose that they "fixed" this by making the 16 bit field unsigned? Or do you suppose that they counted the numbers separately using, say, floating point so that they could check the results for large discrepancies? Or maybe that they checked the before and after to see that the numbers increased when they added to them...or anything else that they could do to make this self auditing? Nah...frankly, I'm scared by the stupidity of this error. This is a problem that needs an open source solution. * The failure of the ES&S ranked-choice vote-counting software in the San Francisco Supervisors' election that I noted in RISKS-23.58 turns out to have been a hard-coded constant maximum number of voters that was set too low. The fix was utterly trivial, but wisely required recertification by the State. [Perhaps the same programmer wrote the Broward software?] * Bev Harris reported that ``Jeff Fisher, the Democratic candidate for the U.S. House from Florida's 16th District said he was waiting for the FBI to show up. Fisher has evidence, he says, not only that the Florida election was hacked, but of who hacked it and how... In Baker County, for example, with 12,887 registered voters, 69.3% of them Democrats and 24.3% of them Republicans, the vote was only 2,180 for Kerry and 7,738 for Bush.... Dick Morris [famous consultant to both parties, now with Fox News] wrote "So, according to ABC-TVs exit polls, for example, Kerry was slated to carry Florida, Ohio, New Mexico, Colorado, Nevada, and Iowa.... Exit polls cannot be as wrong across the board as they were on election night. I suspect foul play." '' [See http://www.blackboxvoting.org , *NOT* .com] * Incidentally, Ralph Barone noted an article on the internal database structures of the Diebold voting machines, plus how to hack an election and cover your trail afterwards. http://www.blackboxvoting.com/scoop/S00065.htm * There were numerous reports of screens "jumping" votes in ES&S and Hart InterCivic machines, where casting a straight-party subsequently changes the vote for the President before exiting. * Also reported were many cases of long lines and long waits only in certain politically skewed precincts, many legitimate voters who claim they were disenfranchised, voters who were given special optical scan pens that were not capable of being tallied, and so on. Many Web sources provided running lists of reported anomalies, such as http://www.votersunite.org http://fairvote.org/easttowest.pdf https://voteprotect.org http://www.verifiedvoting.org/eirs/ http://www.electionprotection2004.org/coalition.htm http://www.blackboxvoting.org ------------------------------ Date: Mon, 08 Nov 2004 07:57:29 -0700 From: "NewsScan" <newsscan@private> Subject: Bidding up prices on online auctions Eight eBay sellers who bid up products online to inflate their prices have been ordered by the New York Attorney General's office to pay almost $90,000 in restitution and fines. More than 120 people will receive money from the settlement of the three cases. One man will receive a check for $3,089 after overpaying for a 1999 Jeep Cherokee sport-utility vehicle he bought from an eBay seller in 2002. [*The Washington Post*, 7 Nov 2004; NewsScan Daily, 8 Nov 2004] http://www.washingtonpost.com/wp-dyn/articles/A32944-2004Nov7.html ------------------------------ Date: Sun, 24 Oct 2004 03:51:42 -0400 From: Monty Solomon <monty@private> Subject: Identities stolen in seconds Timothy L. O'Brien, (*The New York Times*, 24 Oct 2004) Pausing in the foyer of a comfortable suburban home two days before Halloween in 2002, Kevin Barrows, a special agent with the F.B.I., could not bring himself to open the front door. He and a team of agents had just spent several hours searching every room in the house, in New Rochelle, N.Y., but they were leaving empty-handed. Months of investigating had led Mr. Barrows to believe that someone was orchestrating a huge fraud from the house, yet he had not found a single scrap of evidence. Still, something bothered him about the furniture in one of the bedrooms. It seemed oddly oversized. So he headed back upstairs for a second look, and his attention focused on an expansive canopy over the bed. When he pushed at the draping, he found that it was weighed down with files. They contained reams of confidential financial information about hundreds of individuals whose identities had been pilfered in an intricate scheme that illicitly netted more than $50 million. Two years later, the New Rochelle home has emerged as a linchpin in what federal law enforcement authorities describe as the biggest case of identity theft ever uncovered in the United States. The scheme was essentially masterminded by just two people: Linus Baptiste, who lived in the house and had contacts with a sprawling ring of Nigerian street criminals, and Philip A. Cummings, his former brother-in-law, who worked as a help-desk clerk at a Long Island software company. At least 30,000 people nationwide were victimized, according to law enforcement authorities and court documents. ... http://www.nytimes.com/2004/10/24/business/yourmoney/24theft.html ------------------------------ Date: Mon, 08 Nov 2004 07:57:29 -0700 From: "NewsScan" <newsscan@private> Subject: Pirates see video games before paying customers do Pirated copies of the sci-fi action title "Halo 2" and games such as "Grand Theft Auto: San Andreas" and "Half-Life 2" have been circulating on file-sharing networks, news groups and Web sites even before their official release to consumers. Brian Jarrard of Microsoft's Bungie Studio, which produced "Halo 2," complains: "You spend three years of your life pouring everything you have into this project, and then somebody gets their hands on the game and gives it away to the world for free. We made this, and these guys had no right to give it out to the public." Douglas Lowenstein, president of the Entertainment Software Association, admits: "The problem and challenge with piracy is that there are people out there on a worldwide basis who've identified piracy as a very profitable enterprise. You don't end this problem overnight." [AP 8 Nov 2004; NewsScan Daily, 8 Nov 2004] http://apnews.excite.com/article/20041108/D867MSU80.html ------------------------------ Date: Mon, 25 Oct 2004 08:01:44 -0700 From: "NewsScan" <newsscan@private> Subject: Music industry on the wrong course Wharton business professor Joel Waldfogel says the music industry is mistakenly pursuing a short-term strategy in backing the Inducing Infringement of Copyrights Act of 2004, which would hold liable any entity that "intentionally aids, abets, induces or procures" copyrighted material. Rather than fighting technological advances through litigation, the music industry must come up with new business models -- for instance, taking advantage of the Internet to slash its distribution costs. "Instead of putting out CDs and shipping them on trucks, they can send them directly at a very low cost. That does suggest a very different business model than charging $15 or $20 for a CD. It might be a much more attractive way to do things. Stuff that is easy to distribute wants to be free. Given that force, I think [the recording industry] needs to come up with a new model for generating income," says Waldfogel. [Knowledge@Wharton, Oct 20-Nov 2 2004; NewsScan Daily, 25 Oct 2004] http://knowledge.wharton.upenn.edu/index.cfm?fa=viewArticle&id=1066 ------------------------------ Date: Fri, 5 Nov 2004 08:23:15 -0000 From: Nik Barron <Nik.Barron@private> Subject: Cahoot online banking security issue The UK's BBC Breakfast news reported a security issue with the Cahoot Internet bank. Apparently due to a recent system upgrade 12 days ago it was possible to access other users' accounts with only their user ID (normally, a password and set of "memorable information" is required before access is granted). The report did not reveal the full details for obvious reasons, but implied that it was necessary to know the user's login name, which certainly for other banks is not directly related to the user's name. It was also confirmed by Cahoot that it would not be possible to transfer any money without knowledge of the password and memorable information. Cahoot reacted promptly when the issue was confirmed, closing the site for ten hours while the cause was investigated and resolved. The system is now up and running and the vulnerability has been removed. Although no financial loss was possible, this was a serious confidentiality breach albeit mitigated by ease of access to the user's login name. Needless to say the bad publicity will probably cause confidence problems for Cahoot and other online banks. Lessons to be learned include the need for comprehensive regression testing of security after system upgrades, and the difficulty in bolting on session security to web-based systems. Full details are on the BBC's web site at http://news.bbc.co.uk/1/hi/programmes/breakfast/3984641.stm Surprisingly, Cahoot have no statement on their site regarding the issue. The FAQ on "Security" states "However, we can reassure you that the site is tested regularly by independent security experts who are satisfied that the site is secure". [Also noted by Michael Bacon. PGN] ------------------------------ Date: Mon, 8 Nov 2004 08:19:12 +1100 From: "Tim Chmielewski" <tim@private> Subject: Westpac Internet Banking problems The Australian bank Westpac decided to implement its promised security upgrade to their internet banking service on the weekend, only to have something go wrong and lockout thousands of customers (I would know as my Dad called me not long after I had the same problem.) As their support line is only open 8am to 5pm during the week there was no one I could call to report the problem. When I rang this morning there was a recorded message regarding the problem with the service (I suspect they had to put it up or else their support line would be flooded.) They tout their online banking service as being 24/7, but if they don't have the support to go with it, what is the use of having it? Also, if they were going to require a change of passwords for a system upgrade, I think they should have sent a message out by mail at least two weeks in advance. At least I haven't had any money stolen from me via the online banking service like what happened to service National Australia Bank customers last year. Tim Chmielewski Webmaster, Human Edge Software http://www.humanedge.biz ------------------------------ Date: Fri, 05 Nov 2004 11:42:55 +0100 From: Henk Langeveld <hlangeveld@private> Subject: Banks and their marketing/PR departments Re: Do vendors read their own security policies? <jmeissen@private> I get frequent mailings from two Dutch banks, who apparently use the same PR company to send out their mailings. Both the mailings and the URLs (for special offers) refer to sites *not* under the control of the bank. ------------------------------ Date: 5 Nov 2004 00:43:55 -0000 From: John Levine <johnl@private> Subject: Re: TV emits international distress signal (Hogsett, RISKS-23.57) >And then there's the story (perhaps an urban legend) about people mailing >supposedly-defective electronic toll tokens back to the issuing highway >authority, and being billed for the tollbooths the mail truck passed >through... It's well documented. E-ZPass toll transponders contain a battery which eventually wears out, so every few years they send you a new pass and tell you return the old one. They provide a conductive bag that prevents the pass from responding, but a certain number of people don't bother to put the pass in the bag and it gets read on the way to the service center. The specific cases I've heard about were on the NJ Turnpike on the way to the Staten Island service center, but since all of the E-ZPass centers are close to the roads or bridges they serve, it happens all the time. [Yes. Paul Schreiber notes Susan Landau's item in RISKS-23.01 on this very subject. Sorry I neglected to interject that. PGN] ------------------------------ Date: Fri, 05 Nov 2004 10:04:27 +0000 From: Martin Hepworth <martinh@solid-state-logic.com> Subject: Re: Clocks set back a week too early (RISKS-23.58) Since 1996, when the UK changed it's 'daylight saving' schedule to be in line with continental Europe, it's always been the last Sunday of March and October when this change occurs. That was 8 years ago! http://wwp.greenwichmeantime.com/time-zone/rules/eu.htm http://www.nmm.ac.uk/site/request/setTemplate:singlecontent/contentTypeA/conWebDoc/contentId/344 The risk seems to be people 'interpreting' the 'last Sunday' to mean the 'fourth Sunday', and not taking into account a month with 5 Sundays... Martin Hepworth, Senior Systems Administrator, Solid State Logic Ltd tel: +44 (0)1865 842300 ------------------------------ Date: Fri, 5 Nov 2004 18:34:30 +0000 From: Mike Causer <mikec@private> Subject: Re: Clocks set back a week too early (RISKS-23.58) [...] The BST to GMT switch happened on the 5th Sunday of October in 1950, 1961, 1967, 1971, 1972, 1978, 1989, 1999, and 2000. (Source: http://wwp.greenwichmeantime.com/info/bst2.htm) Mike Causer http://www.mikecauser.com mikec@private ------------------------------ Date: Sat, 6 Nov 2004 23:08:57 -0500 From: rbean@private (Ron Bean) Subject: Re: Is Windows up to snuff for running our world? (Smith, RISKS-23.58) > But is the Windows operating system really reliable and secure enough for > these kinds of applications? Apple is missing out on a huge market here by not allowing their OS to run on other vendors' hardware. Nobody's going to buy a Mac to run an ATM or a cash register, but they might buy the OS if they thought it would work better. ------------------------------ Date: 04 Nov 2004 23:40:42 +0100 From: Geoff Kuenning <geoff@private> Subject: Re: Battlefield Robotics are risk to the world public (RISKS-23.58) To be fair to John Deere, as far as I can tell this particular robot is intended to be used purely for surveillance and will not have offensive capabilities. But Edward Nilges is still correct in his analysis of the risks of offensive robots. I especially agree with the analogy to land mines. I recall a science fiction story from nearly 50 years ago that warned of the problems of a killer robot still searching for targets long after the war had happened. Perhaps we should insist that everyone in the Pentagon read old SF? Geoff Kuenning geoff@private http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Sat, 6 Nov 2004 15:43:06 -0600 (CST) From: jhhaynes@private Subject: Book on malicious cryptography The October issue of Cryptologia has a review of "Malicious Cryptography: Exposing Cryptovirology" by Adam L. Young and Moti Yung, about the use of cryptography by crackers. ------------------------------ Date: 2 Jun 2004 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. To subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit the process by sending directly to either risks-subscribe@private or risks-unsubscribe@private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. INFO [for unabridged version of RISKS information] .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i] <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ------------------------------ End of RISKS-FORUM Digest 23.59 ************************
This archive was generated by hypermail 2.1.3 : Fri Jan 28 2005 - 10:24:01 PST