[RISKS] Risks Digest 24.71

From: RISKS List Owner (risko@private)
Date: Tue Jun 26 2007 - 08:30:18 PDT


RISKS-LIST: Risks-Forum Digest  Tuesday 26 June 2007  Volume 24 : Issue 71

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/24.71.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
DHS = Department of Holey Security? (PGN)
United Airlines cites 'human error' for glitch (Mark J Bennison)
Cause of Gripen "spontaneous ejection" (Paul E. Black, Crispin Cowan)
Transport system complexity presents insurmountable risk? (Mike Martin)
Improving reliability of critical software (Jeremy Epstein, Paul E. Black)
More people die from sand hole collapses than sharks (Jeremy Epstein)
E-vote 'threat' to UK democracy (David Lesher)
Reality TV, video archives and on-line voting (Robin Fairbairns)
A movie torpedoes the concept of electronic voting? (Ferdinand J. Reinke)
Information leaked from web order page (Bruce Hamilton)
Not much e-mail is protected from government search (Andrew Klossner)
Re: Search Engine Dispute Notifications (Crispin Cowan)
Advertising Risk (Rob Boudrie)
Not Talking About vs. Not Doing (Gene Wirchenko)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 20 Jun 2007 18:12:36 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: DHS = Department of Holey Security?

  [See my recent testimony on Security and Privacy in the Employment
  Eligibility Verification System (EEVS), for a hearing of the House Ways
  and Means Committee Subcommittee on Social Security:
    http://www.csl.sri.com/neumann/house07.pdf   and
    http://www.acm.org/usacm/PDF/EEVS_Testimony_Peter_Neumann_USACM.pdf
  DHS is responsible for EEVS.  The prototype has a four-percent error rate
  overall, which is reportedly much higher among eligible would-be employees
  who are not U.S. citizens.  PGN]

"Homeland Security Department computers and cyber systems have been infected
with viruses and malicious scripts that could compromise passwords and
information on U.S. citizens, intelligence operations and the nation's
critical infrastructure.  ... A draft report from the Homeland Security
Department's inspector general found that two computer systems at the
department's headquarters were infected with scripts that could compromise
passwords and allow unauthorized access by outsiders."  [Source: Chris
Strohm, CongressDaily, 19 June 2007, PGN-excerpted.]
  http://govexec.com/dailyfed/0607/061907cdpm2.htm

  [The article by Chris Strohm was written in anticipation of another
  hearing by the same subcommittee on the same subject.  Annie Anton's
  written testimony for that hearing is also online:
    http://www.acm.org/usacm/PDF/SSN_Anton_USACM_testimony.pdf
  PGN]

------------------------------

Date: Fri, 22 Jun 2007 07:49:21 +0100
From: "Bennison, Mark J" <mark.m.bennison@private>
Subject: United Airlines cites 'human error' for glitch

  'Chief Operating Officer Pete McDonald said the error occurred during
  routine system testing.  "Yesterday, an employee made a mistake and caused
  the failure of both Unimatic and our backup system," he said in the
  recorded call to employees. He did not elaborate on the error.'

For such a critical system one wonders why both the main and backup system
failed as a result of the mistake - indicating a lack of robustness in the
system design to me - but moreover why "routine system testing" was being
performed on a live system during peak times? In the UK I believe that
system testing (and upgrades etc) of airline computer systems occurs
overnight (OK, the concept of 'overnight' for a worldwide system is moot,
but it is performed at times of least activity).

  [See also an earlier report from 20 Jun 2007,
  Computer outage grounds United for 2 hours
  http://www.cnn.com/2007/TRAVEL/06/20/united.flights.ap/index.html
  PGN]

------------------------------

Date: Thu, 21 Jun 2007 13:44:25 -0400
From: "Paul E. Black" <paul.black@private>
Subject: Cause of Gripen "spontaneous ejection" (Re: Lima, RISKS-24.70)

A comment on the article by "maddogone" says, "The tests show it was the
G-suit which activated the ejection.  ... when it filled with air it pressed
against the release handle"

For an explanation of an anti-G suit, see
  http://www.daviddarling.info/encyclopedia/A/antigsuit.html

------------------------------

Date: Wed, 20 Jun 2007 10:41:20 -0700
From: Crispin Cowan <crispin@private>
Subject: Cause of Gripen "spontaneous ejection" (Re: Lima, RISKS-24.70)

Is this really a case of complex systems interaction producing unpredictable
results? Or is it that high G-forces tripped the switch to induce ejection?
The latter is just defective design of a single component with respect to
the environment it was intended for.

Crispin Cowan, Ph.D., Director of Software Engineering   http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor  http://crispincowan.com/~crispin/

------------------------------

Date: Thu, 21 Jun 2007 18:05:09 +1000
From: "mike martin" <mke.martn@private>
Subject: Transport system complexity presents insurmountable risk?

How difficult is it to collect a bus fare or commuter rail fare?

The state of New South Wales was to have an integrated, smartcard-based
ticketing system covering all modes of public transport other than taxis, in
time for the Sydney 2000 Olympic Games.

The system is still not working. A recent pilot trial in buses was called
off when the 420 bus drivers involved voted to boycott it. The ticket
machines kept crashing and bus drivers had to stop each time to fix them,
http://www.smh.com.au/news/national/driver-boycott-delays-tcard-once-again/2007/06/14/1181414469692.html

All well and good; it sounds like any number of other projects where
governments have been let down by technology. There is an oddity here
though. The firm selected to provide the ticketing system, ERG Group, has
been a partner in over a dozen successful projects around the world,
including the Hong Kong Octopus system, claimed to be the largest of its
type. It has supplied similar ticketing systems in San Francisco and
Washington, DC. What's unique about NSW that has caused such protracted
delays?

Yesterday a report in The Australian Financial Review (unavailable online)
gave a hint as to what the real problem is:

  "Transport experts have repeatedly warned that NSW's more than 70
  individual public transport fare products is unnecessarily large and will
  require dramatic simplification in order for an integrated ticketing
  system to be successful across all modes of transport.

  "The NSW government conceded yesterday that it would need to substantially
  simplify fare structures to make the Tcard project a reality. The most
  likely option was a system of distance-based zones similar to that of most
  other metropolitan transport authorities."

It is 11 years since the Public Transport Authority of NSW was set up to
pursue integrated ticketing as a means of increasing the attractiveness of
public transport. It appears that the government may have finally realised
what "integrated" really means.

Mike Martin, Sydney <mke.martn@private>

------------------------------

Date: Thu, 21 Jun 2007 12:28:42 -0400
From: "Jeremy Epstein" <jepstein@private>
Subject: Improving reliability of critical software (Re: Auslander, R-24.70)

It's a very appealing idea, but one that doesn't work.  N-version
programming has been studied, and the essential problem is that the teams
tend to make the same mistakes, and also that determining a "mismatch" is
harder than it sounds.  See J. C. Knight and N. G. Leveson. "An
experimental evaluation of the assumption of independence in multiversion
programming". In IEEE Transactions on Software Engineering, SE-12(1):96-109,
January 1986.

There's a good summary of the issues at
http://en.wikipedia.org/wiki/N-Version_Programming.

Take as an example the problem of building a browser, which I'd argue is one
of the biggest real-world N-version programming examples ever tried: there
are some reasonably detailed specifications as to protocols (e.g., HTTP),
layout (e.g., HTML), etc. - but there are many web sites that work (or look
"right") with one but not another browser - even setting aside features
specific to one browser (such as ActiveX).  A decision function would have a
very difficult time deciding whether the browsers give consistent results
for the specifications.

>The space shuttle software has used this technique for quite a while.

The Space Shuttle does *not* use N-version programming - it uses identical
instances of the same software, and uses redundancy to account for hardware
failures.  Again, a good explanation of the methodology used is at
http://en.wikipedia.org/wiki/Space_shuttle.

The RISK?  Assuming that having multiple independent version is going to
solve mission critical reliability problems!

------------------------------

Date: Thu, 21 Jun 2007 14:31:00 -0400
From: "Paul E. Black" <p.black@private>
Subject: Improving reliability of critical software (Re: Auslander, R-24.70)

N-version programming to improve reliability of critical software?

N-version programming may lead to much higher quality IF errors are
independent.  Hatton 1997 cites studies that support sufficient
independence.  Brilliant, Knight, and Leveson 1990 reported that in an
experiment programmers made "equivalent logical errors" and different
logical errors caused "statistically correlated failures".  So it is no
panacea.

------------------------------

Date: Thu, 21 Jun 2007 08:26:19 -0400
From: "Jeremy Epstein" <jepstein@private>
Subject: More people die from sand hole collapses than sharks

Interesting article comparing the number of people killed in the US each
year from the collapse of sand holes (i.e., holes dug in the beach) vs.
shark attacks.  A good explanation that people are "People naturally worry
about splashier threats, such as shark attacks. However, the Marons'
research found there were 16 sand hole or tunnel deaths in the United States
from 1990 to 2006 compared with 12 fatal shark attacks for the same period".

This echoes a point frequently made in RISKS, so it should be no surprise to
any readers here.

Will legislators call for laws to improve safety and protect against
terrorists by banning sand?

Full article:
http://www.cnn.com/2007/HEALTH/06/20/sand.deaths.ap/index.html

------------------------------

Date: Mon, 25 Jun 2007 09:37:54 -0400
From: David Lesher <wb8foz@private>
Subject: E-vote 'threat' to UK democracy

E-vote 'threat' to UK democracy
Ballot boxes, BBC
Observers saw big problems with e-counting systems
British democracy could be undermined by moves to use electronic voting
in elections, warns a report.
http://news.bbc.co.uk/1/hi/technology/6229640.stm

The risks involved in swapping paper ballots for electronic versions far
outweigh any benefits they may have, says the Open Rights Group report.

Technical chaos hits local counts ballot box Technical difficulties blighted
the counts in the west of Scotland Voters in the west of Scotland have been
hit by chaos during the Scottish parliamentary elections.
http://news.bbc.co.uk/2/hi/uk_news/scotland/glasgow_and_west/6623239.stm

Counts in Argyll and Bute, Eastwood, and Strathkelvin and Bearsden were
suspended until later on Friday due to technical problems.

The problem at the Strathkelvin and Bearsden count occurred when the
computer system could not validate the votes that had been counted so far.

http://news.bbc.co.uk/2/hi/programmes/click_online/3945675.stm

America's presidential election could be one of the closest in history, and
in the past four years there has been a great deal of pressure to come up
with a foolproof, electronic voting system. Ian Hardy reports on whether or
not that has been achieved.

Debate about e-voting technology may be only just beginning According to
officials in Fairfax County, the latest e-voting technology is simple,
straightforward and sure-fire.

The county's electoral official, Blanche Kapustin, says: "When they look at
the screen they'll see that the name of the person they've selected has
turned red. There's also a gigantic tick mark next to that person's name.

"They return to the summary screen, press the "next" button and once they
press the "vote" button that's the end."

The data, which is collected on a memory device, is taken to a central
location to be processed.

But opponents of e-voting say the current system is fundamentally flawed
because there is no way that a voter's intent can ever be proved by anyone,
once they have walked away from the screen.

------------------------------

Date: Thu, 21 Jun 2007 17:44:26 +0100
From: Robin Fairbairns <Robin.Fairbairns@private>
Subject: Reality TV, video archives and on-line voting

One of the (apparently) less offensive sorts of reality TV in the UK is the
show where someone is chosen to perform a part in an upcoming stage
production.

The BBC was doing one to choose a leading man for a new West-End production
of "Joseph and his amazing technicolour dreamcoat", and they had the rather
pleasing idea of finding a children's choir to perform alongside the chosen
singer in the final.  The choir was to be made up of children no older than
11; the world at large was to get the opportunity of voting on 1-minute
video clips of schools, and one of those voted into the top 20 would then be
chosen by Andrew Lloyd Webber himself (the composer of "Joseph").

Cue frenzy among the primary-school music teachers of the UK.  Existing
school choirs started learning the music for their clip; a fair few schools
decided to form a choir of their own; arrangements had to be made for
recording the clip, and so on, and so on.  This was all to the good:
everyone (who cares) is worried about music in British schools, and here was
real motivation.

But then it started to go wrong.  Very soon after the first schools had
uploaded their clips, it was clear that the server wasn't sized for the
demands that were to be placed on it.  The first time I looked at the site,
there were several-minute delays each time I asked for another performance
to consider; there were less than 200 clips on line, at the time, and voting
hadn't yet started.

It was clear the BBC hadn't realised the reaction they were going to get.
For every school that entered a choir, there were 20 children, the
children's families, the school's teachers, and assorted hangers-on like me
(my wife is a teacher).  Nearly 850 schools had entered, by the end.

The voting scheme was that each vote had to give a choir a score in the
range 1-5; places were to be decided by the choir's "average" score over all
votes they had received.  Each voter could vote for as many choirs as she
had time for.  None of the organisers seems to have considered the obvious
weakness of such a voting system.

Voter registration seems to have been on the basis of IP address -- a blow
for schools (or homes) all of whose computers are NAT-addressed, and for
homes where there's only one computer with several users.

Within a few days of the server operating by fits and starts, they closed
the voting and said they were thinking again.  When voting restarted,
registration was by email address/password, entering those on-line on the
Joseph site -- something I suspect will have been a disincentive to some.
The site was, however, responsive at this stage.

But even though voting was underway again, it was clear that not all was as
it should be.  The "top 20", which appeared on your screen whenever you
connected, hardly seemed to move though some of them were, in all honesty,
less deserving than many of those further down the table.

The BBC blamed the voters.  "Block voting", they said, was the order of the
day; but it's impossible to know what was actually happening since the BBC
weren't forthcoming about the details.  (It has to be said that the site
managers -- BBC contractors, not BBC people -- responded promptly to
reasonable enquiries.)

Eventually, even the BBC seemed to agree that even the revised voting system
was not fit for purpose.  Having delayed beyond their original deadline for
announcing the finalists, they admitted defeat on the on-line voting, and
closed the voting site.  They recruited a panel to view all the clips to
choose the top few for Lloyd Webber to review.

The school that was finally chosen hadn't appeared near the top on-line, and
I, for one, didn't see its clip.  One hopes it was better than all the
*extremely* good schools I viewed, but since the BBC withdrew all clips when
they gave up on the voting, I shan't ever know.  And I don't have a TV, so I
never saw them performing at all.

Oh, and my wife's choir was far lower in the voting than it merited.  (I
have to admit that though it's good, it wasn't up there with the very best.)
I gave it 5...

Risks: well, lots.  Don't underestimate the popularity of your site.  Don't
invent crocked voting systems; don't try to rehash your voting system on the
fly.  In short: accept that this sort of thing isn't "easy".

Of course, we don't know what advice the BBC had, so we'll never know if the
cause was the BBC managers rejecting advice on cost grounds, or their
software contractors getting the design wrong.  I can guess a scenario, but
I wouldn't care to publish it.

Robin Fairbairns -- University of Cambridge Computer Laboratory

------------------------------

Date: Sun, 24 Jun 2007 00:39:08 -0400
From: "r @ reinke" <reinke@private>
Subject: A movie torpedoes the concept of electronic voting?

Man of the Year, with Robin Williams as President Elect Tom Dobbs

  Tom Dobbs, comedic host of a political talk show - a la Bill Maher and Jon
  Stewart - runs for President of the US as an independent candidate who,
  after an issues-oriented campaign and an explosive performance in the
  final debate, gets just enough votes to win. Trouble is he owes his
  victory to a computer glitch in the national touch-screen voting system
  marketed by Delacroy, a private company with a rising stock price. To
  protect their fortune, Delacroy executives want to keep the glitch a
  secret, but one programmer, Eleanor Green, wants Dobbs to know the
  truth. Can she get to him?  Written by jhailey.
  http://www.imdb.com/title/tt0483726/

Correct me if I am wrong, but did this movie just put a stake thru the heart
of the vampire known as "electronic voting"?

Systems provided by Delacroy ... err I mean Diebold ... could manipulate the
results of an election. Based on the movie, I've just emailed Ron Paul to
change his name to Ron Paaul. (SPOILER: In the movie, the buggy computer
program elects the candidate with the "best" double letter.) So if anyone
wants to debate about paperless electronic Internet voting and tell you how
good it will be yada yada yada, just rent them this movie. That should
finish up the discussion!

They say many a true word is said in jest.

Some times concepts can get thru via humor. My non-techie spouse said after
watching this that it would now never be approved here. Hope she's right.

This film IMHO says it all about that topic. And, says it in way that comes
across to the average person.

p.s.: The movie did have one other great line. Tom Dobbs says "Politicians
are a lot like diapers. They should be changed frequently, and for the same
reasons."  If you gather I'm no fan of politicians, you're correct. They are
like diapers!

Ferdinand J. Reinke, Kendall Park, NJ 08824 http://www.reinke.cc/
http://www.reinkefaceslife.com/  http://www.linkedin.com/in/reinkefj

  [Well, the script writers for the film relied on a plot hook relating to a
  rather amusing accidental misprogramming rather than a Trojan horse.  The
  latter might have been more effective in making the case.  Incidentally,
  we don't generally reveal plot hooks in RISKS.  However, this film has
  been around long enough (for example, it's been on several flights with
  me well after I had seen the first run).  PGN]

------------------------------

Date: Thu, 21 Jun 2007 11:09:22 -0600
From: <bruce_hamilton@private>
Subject: Information leaked from web order page

I just placed an order with MYSTICMAID (www.mysticmaid.com). One checkout
step was to fill in the usual - name, address, email, phone, etc.  The page
offered to me was already filled in with someone else's information!  A
quick check showed that the phone number matched the name; I suspect that
the address, email and other items matched also.

The shopping cart software let me use that information to proceed with the
purchase, but the credit card number was not pre-filled in :-)

At least the person I called at the company expressed concern and said they
would look into it.

bruce_hamilton@private  Tel: +1 408 553 2818   Fax: +1 408 553 3487
Agilent Technologies MS 4U-SM P.O. Box 58059, Santa Clara, CA 95051-7201

------------------------------

Date: Wed, 20 Jun 2007 13:24:36 -0700
From: Andrew Klossner <andrew@private>
Subject: Not much e-mail is protected from government search

The EFF press release starts out "San Francisco - The government must have a
search warrant," but in fact the ruling does not apply in San Francisco.  It
applies only in Kentucky, Michigan, Ohio, and Tennessee, the states in the
jurisdiction of the Sixth District Court of Appeals.

If the ruling is appealed to the Supreme Court, their judgment will
apply to the entire country.

------------------------------

Date: Wed, 20 Jun 2007 15:36:28 -0700
From: Crispin Cowan <crispin@private>
Subject: Re: Search Engine Dispute Notifications (Weinstein, RISKS-24.70)

I see a simple solution to this problem: individuals who feel defamed by
slanderous web sites just need to copyright or otherwise classify that
information about themselves as intellectual property, and then issue a DMCA
take-down order.  :-)

Crispin Cowan, Ph.D., Director of Software Engineering   http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor  http://crispincowan.com/~crispin/

------------------------------

Date: Fri, 22 Jun 2007 10:53:27 -0400
From: "Rob Boudrie" <rob@private>
Subject: Advertising Risk

The recent disaster at Six Flags/KY where a kid had his feet severed by a
ride shows the risks of automated ad selection systems.  I viewed the video
of the story at on-line on a KY tv station, and there was the typical
automatically selected commercial one had to watch to get to the story.  The
commercial was an ad for the same Six Flags amusement park covered in the
story.

------------------------------

Date: Wed, 20 Jun 2007 17:36:11 -0700
From: Gene Wirchenko <genew@private>
Subject: Not Talking About vs. Not Doing

  http://thomascrampton.com/2007/06/15/perils-of-privacy-on-facebook/
covers an interesting risk regarding a status change.  The key part:

  'My fiancee and I decided that showing our engagement in Facebook gave out
  a little too much personal information.

  But I did not realize that unchecking the box marked "Thomas Crampton is
  engaged to Thuy-Tien Tran" would send a message to everyone connected to
  us in Facebook that "Thomas Crampton and Thuy-Tien Tran are no longer
  engaged".'

Complications ensued.

------------------------------

Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman your
 FROM: address, send a message to
   risks-request@private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing

------------------------------

End of RISKS-FORUM Digest 24.71
************************



This archive was generated by hypermail 2.1.3 : Tue Jun 26 2007 - 09:01:29 PDT