RISKS-LIST: Risks-Forum Digest Tuesday 31 July 2007 Volume 24 : Issue 76
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/24.76.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Scientists' Tests Hack Into Electronic Voting Machines
California Voting System Hacking Report (Rebecca Mercuri, PGN)
Earthquakes and O rings (Rod Van Meter)
If this guy's telling the truth, he should never fly an airplane
(Erling Kristiansen)
Three little zeroes (Mark Brader)
Department of Health Proposes New Records System (EPIC News)
Comair Flight 5191 (Andrew Koenig)
Re: Accuracy of Hawkeye at Wimbledon (David Alexander)
Re: iPhone Security Flaw (Nicholas Weaver)
Re: Risk with the Mac OS X 10.4.10 version number (Richard Grady)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 28 Jul 2007 13:30:35 -0400
From: Daniel Graifer <graifer@private>
Subject: Scientists' Tests Hack Into Electronic Voting Machines
"Computer scientists from California universities have hacked into three
electronic voting systems used in California and elsewhere in the nation and
found several ways in which vote totals could potentially be altered,
according to reports released yesterday by the state."
The article includes discussion of the current House bill to require paper
audit trails.
Source: *The New York Times*
http://www.nytimes.com/2007/07/28/us/28vote.html
Daniel A. Graifer Home: 703-425-4512 Cell: 703-967-3635
------------------------------
Date: Fri, 27 Jul 2007 20:14:59 -0400
From: "R. Mercuri" <notable@private>
Subject: California Voting System Hacking Report
Just in case you haven't seen this yet, here's the California Overview
of the Hacking Report:
http://www.sos.ca.gov/elections/voting_systems/ttbr/red_overview.pdf
My executive summary of the overview is as follows:
At a cost of $1.8M, the California Secretary of State now has a report that
confirms that all of the State's Hart, Diebold and Sequoia DRE and OpScan
voting systems can be hacked in various ways. Potential hacks include the
all-important ability to have a VVPAT print out one thing and the DRE total
reflect something else, thus rendering the VVPAT moot, as well as the
capability of detecting election mode (thus enabling the pre-election
testing to appear correct, while the actual election has been
compromised). All of these are types of hacks that many knowledgeable people
have been saying for years could happen, and now we know that for sure they
can. Oh, and guess what else? "The security mechanisms provided for all
systems analyzed were inadequate to ensure accuracy and integrity of the
election results." Gee, what a surprise.
Unfortunately the report provides a fall-back position whereby these
wretched election products can continue to be used -- by claiming that many
of the attack scenarios can be mitigated through better physical security,
security training of staff, and contingency planning. Of course the report
fails to mention that if the staff or the vendor is corrupt and their
contingency plan is to cover up their tracks, we now know for sure that a
game plan for fraud is certainly possible. So let's just throw more money at
additional security mechanisms and training while we all pretend that we're
conducting legitimate elections. Good job, guys, thanks for letting the CA
SoS off the hook.
Here's a novel thought: why not just throw this crap in the junk heap where
it belongs, vote on paper, and let the citizens do the counting? Maybe for
another $1.8M some State can get a team of PhDs to validate that conclusion.
Rebecca Mercuri.
Permission Granted to Post This Message in its Entirety.
------------------------------
Tue, 31 Jul 2007 12:13:17 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: California Voting System Hacking Report
Apparently along with many other Web watchers, I spent time yesterday
watching an all-day hearing of the California Secretary of State, Debra
Bowen, interrupted by frozen screens presumably resulting from too many
people trying to follow the live webcast. In my opinion, Secretary Bowen
has consistently sought a better understanding of the integrity, accuracy,
reliability, and survivability of the electronic voting systems that are in
use in California -- or the lack thereof. (Several of us had testified in
February 2006 for her California Senate Elections Committee, with my
testimony on the relative merits of openness in voting systems available at
http://www.csl.sri.com/neumann/calsen06.pdf .)
Five reports are now available on the California SoS website:
http://www.sos.ca.gov/elections/elections_vsr.htm
including the red-team overview, red-team analysis of Diebold, Hart, and
Sequoia systems, as well as a detailed analysis of accessibility and
usability of the three systems -- conducted by Noel Runyan and Jim Tobias.
Further reports analyzing source code and documentation for each of the
three systems have not yet been released; according to the website, these
reports will be posted "as soon as the Secretary of State ensures the
reports do not inadvertently disclose security-sensitive information."
Here are my own personal comments. (NOTE: I was *not* a part of the
Top-to-Bottom Review [TTBR], and have not been privy to any inside
information.)
I applaud analyses that provide greater sunshine in the election process,
even if they can address only a part of the total system. (Election system
vendors have typically hidden behind proprietary status of everything --
including not only the software but also the data formats, and even internal
voting data in disputed elections.) However, analyses must always be
considered in the context of the total system -- hardware, software,
procedures, users, the physical premises, and so on. Given various late
starts and the fixed termination date for all of the efforts that was
imposed by the hearing, the results available thus far seem worthy -- albeit
clearly not surprising to those of us (including Rebecca Mercuri) who have
been involved in seeking integrity in the election process for many years.
(My involvement goes back to the mid-1980s.) The systems have generally
been known to be lacking in good software engineering practice, built-in
security, and measures that might have obviated the need for extensive
operational procedures. The findings of the University of California teams
can provide further evidence of that to those people -- including lawmakers
-- who have not previously been exposed to the innards.
The red-team overview report, which notes the need for procedural
mitigations to overcome the existence of technological vulnerabilities,
tries to give some perspective to the public by pointing out that the
electronic voting systems are only one part of a larger process. Long-time
RISKS readers by now know how important it is to consider the results of the
process as a whole rather than looking only at the individual pieces in
isolation. Also, note that the overview does not say *all* flaws can be
overcome; it says that the reviewers believe *many* can be compensated for.
As Matt Bishop stated during the final question-and-answer session of
yesterday's public hearing, his personal opinion is that some flaws require
changes to the technology, rather than just procedural adjustments. (This
occurs about 6:41:00 into the streaming video, which can be found at
http://www.calchannel.com.) I have generally believed this to be true,
because people are fallible and not always able or willing to follow the
procedures. It seems to be especially important in elections, in which
human frailty needs to be avoided and where tamper-resistant and
tamper-evident audit trails are essential.
There were of course critics in the hearing who believe that the
technological study was lacking in reality: for example, it was inherently
incomplete because only 3 of the 9 systems currently in use in California
were included; it did not adequately address procedural issues, which might
compensate for the security and privacy protection vulnerabilities that the
TTBR was intended to identify; it failed to caveat the vulnerabilities with
an assessment of the risks of exploitation of the vulnerabilities. (On the
other hand, RISKS readers are familiar with our persistent warnings about
the risks of flawed quantitative risk assessment.) One complaint was that
the effort was a waste of time, because no malware was detected. (However,
the study never attempted to look specifically for malware. I would presume
that the software provided by the vendors was free of intentional malware,
and furthermore, given the demonstrated vulnerabilities, installing malware
would not be at all difficult -- either in the development process or
subsequently!) Several election officials reported being completely happy
with the electronic systems, and claimed that there have never been any
problems. (But many would-be problems with DREs can be undetectable.)
All in all, I believe that Secretary Bowen's desire for a top-to-bottom
review of the entire election process will benefit from a better
understanding of the technological vulnerabilities -- even though they
certainly represent just one piece of the overall puzzle.
------------------------------
Date: July 23, 2007 2:44:58 AM EDT
From: Rod Van Meter <rdv@private>
Subject: Earthquakes and O rings (via Dave Farber's IP)
[Another example of the globality of local risks... PGN]
By now everyone has heard of the M6.8 earthquake up in Niigata last
week, a couple of hours north of Tokyo by shinkansen. Ten people were
killed (all in their 70s and 80s, living in traditional-style houses
with heavy ceramic tile roofs that collapsed), 6,000 homes and buildings
destroyed, roads cracked and/or covered by landslides, a fault slip that
came to the surface and displaced a section tens of kilometers long by
something like a meter. Net effect was (if I recall) to push one plate
16cm north.
The biggest newsmaker has been the effect on the Tokyo Electric Power
(TEPCO) nuclear plant, the largest in the world. Leaks of radioactive
water, hundreds of barrels of radioactive waste tipped over (some broke
open and leaked), etc. The most recent list of problems was 63 items
long. Opposed to or in favor of nuclear power, TEPCO's slow response
and misinformation are creating a firestorm here. The reactor itself
was designed to withstand only a 6.5; regulations were already under
revision to up that number, but weaker plants will be in use for
decades.
But you knew that, and I want to talk about piston rings, not nuclear
power.
One small company in Niigata, Riken (no relation to the research lab
with a similar English name, I'm sure) makes 60% of the piston O rings
used by *all* of the car manufacturers in Japan. Their plant was badly
damaged.
Japan's auto makers, of course, are famed for their "just in time"
supply chain management. I know people who have worked for
subcontractors, and the penalty for being late in supplying a critical
part can easily exceed $100,000 A DAY.
Toyota was forced to idle at least 27 plants, Daihatsu four, Honda and
other manufacturers several each. Toyota is still shut down, as of this
writing (Monday, a week after the quake), and has an output loss of
46,000 cars or more. I haven't seen a breakdown of the percentage
intended for domestic consumption versus export.
One interesting part of the response is that the auto manufacturers sent
teams of their idled workers to Niigata to help Riken clean up and get
back in production. They were there helping by Thursday, despite the
transportation disruption, general shortages of goods including water,
food, and electricity, and risk of aftershocks.
One point and one question:
* A disaster it is, but a relatively local one, in a mid-level city
where events rarely make the world news. And yet it will affect car
prices around the world, no doubt. Just one more data point that the
world's economy is one large web.
* Toyota is a very well-run company, but they let this happen to them
with an important single-sourced part. How good is YOUR disaster plan,
whether personal or corporate? How good are your suppliers' disaster
plans, and their suppliers'?
IP Archives: http://v2.listbox.com/member/archive/247/=now
------------------------------
Date: Fri, 27 Jul 2007 20:44:09 +0200
From: Erling Kristiansen <erling.kristiansen@private>
Subject: If this guy's telling the truth, he should never fly an airplane
ADS-B ROLLOUT IS ON THE WAY
Wilson Felder, director of the William J. Hughes Technical Center in
Atlantic City that is evaluating the system, told reporters that ADS-B is
something all pilots should want in their panels. He's flown with it
personally for about 60 hours in his Cessna 172 and seen its value
firsthand. "It's saved my life at least three times," he said.
<http://www.avweb.com> issue 13.30e
[Must be a pretty lousy pilot if he needs to have his life saved 3 times by
a new gadget in 60 hours of flight!]
------------------------------
Date: Fri, 27 Jul 2007 13:57:50 -0400 (EDT)
From: msb@private (Mark Brader)
Subject: Three little zeroes
Frank Van Buran is an accountant in New York. He had an Exxon Mobil credit
card for his business, which was expiring. He asked for two copies of the
new one. He got them -- and then 2,000 more. Which were left in boxes on
his doorstep, where anyone could steal them, and which the company expected
him to destroy (it took hours). Nothing seems to have been publicized as to
what exactly went wrong, but how could it be anything but computer-related?
http://www.nydailynews.com/money/2007/07/26/2007-07-26_tomfuelery-1.html
Mark Brader, Toronto, msb@private | "Volts are like proof" --Steve Summit
------------------------------
Date: Fri, 27 Jul 2007 18:09:36 -0400
From: EPIC News <alert@private>
Subject: Department of Health Proposes New Records System (EPIC Alert 14.15)
[Excerpted from Volume 14.15, 27 Jul 2007. PGN]
E P I C A l e r t
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_14.15.html
Department of Health Proposes New Records System
On June 26, the Department of Health and Human Services (HHS) proposed
to establish the National Disaster Medical System (NDMS) Patient
Treatment and Tracking Records System. The goal of this new records
system is to collect individual health data from people receiving
medical care provided by NDMS. The NDMS is a joint effort between HHS,
the Department of Defense, the Department of Homeland Security, and the
Veteran's Administration to provide additional resources to supplement
the public health and health care actions local and state governments
provide during emergencies.
Under the proposal, all persons treated by NDMS medical staff may have
their health data recorded and placed into a record system. This would
include demographic information as well as data regarding patient
diagnosis, treatment, and location. This data may be obtained from the
individual patients, their physicians, or by access to the health
records of patients.
The NDMS Patient Tracking System contains various "routine use" disclosures
to all the federal agencies that share responsibility for evacuation and
treatment of patients under NDMS in order to ensure the highest level of
patient care possible. Routine use disclosures may also be made to
consultants, contractors, and grantees who may require access to the health
records for business purposes related to the collection of the data.
Lastly, routine use disclosures will be made to state and federal agencies
as necessary to establish the benefit entitlement of the patient or to help
families locate evacuated family members.
The routine use disclosures contained within the NDMS Patient Tracking
System raise some privacy concerns that EPIC addressed in comments submitted
to HHS on July 26. In the comments, EPIC stated that HHS should build
privacy protections into the system in order to ensure that patients receive
quality emergency health care without having to sacrifice their medical
privacy. EPIC also urged HHS to clearly define how the system of records
notice will comport with the Health Insurance and Portability Act (HIPAA).
Any proposed routine use disclosures that violate HIPAA provisions should
not be included.
The NDMS Patient Tracking System collects data during emergency situations.
Due to the extreme nature of these events, privacy and safety can easily be
overlooked if they have not already been built into the system. EPIC urged
HHS to consider the impact that the proposed routine use disclosures could
have on victims of domestic violence, as well as other displaced
individuals. After Hurricane Katrina, numerous evacuees faced instances of
personal information abuse. For this reason, EPIC encourages the use of
health data collected by the NDMS for patient treatment purposes only.
EPIC's Webpage on Hurricane Katrina and Identity Theft:
http://www.epic.org/privacy/idtheft/katrina.html
EPIC's Webpage on Domestic Violence and Privacy:
http://www.epic.org/privacy/dv/
EPIC's Comments on NDMS Patient Treatment and Tracking Records System (pdf):
http://www.epic.org/privacy/dv/ndsm_comments.pdf
Department of Health and Human Services System of Records Notice (June
26, 2007) (pdf):
http://www.epic.org/redirect/hhs2707.html
------------------------------
Date: Thu, 26 Jul 2007 09:26:52 -0400
From: "Andrew Koenig" <ark@private>
Subject: Comair Flight 5191 (RISKS-24.75)
The report in RISKS 24.75 inadvertently pointed out an example of an
organizational antipattern--a kind of behavior that appears on the surface
to solve a problem but actually does the opposite.
The first sentence: "Comair pilot instructors testified that the crew of
Comair Flight 5191 committed numerous procedural violations relating to
briefing, taxiing, and 'sterile cockpit' rules (maintaining a
distraction-free cockpit) before taking off from the wrong runway..."
The fallacy is "post hoc, ergo propter hoc." In other words, the crew
violated procedures, then crashed; so it is tempting to assume that the
violation caused the crash--despite the other problems cited later in the
article. From a bureaucrat's viewpoint, this assumption can then be used to
make the procedures more restrictive, increase crew monitoring, etc., all
without proving that the procedures are actually useful.
Of course it is possible that the procedural violations caused the crash.
The antipattern--and one that is particularly tempting for bureaucratic
organizations--is to assume without proof that they did so, perhaps because
that assumption is the one that most benefits the organization.
------------------------------
Date: Fri, 27 Jul 2007 23:17:11 +0100
From: David Alexander <dave_ale@private>
Subject: Re: Accuracy of Hawkeye at Wimbledon
I read the submission from Mike Scott, regarding the errors he recalls
seeing in the Wimbledon tennis 'Hawkeye' line-call system last year and the
reliance of the Lawn Tennis Association upon it this year.
Mr Scott makes no allowance for the upgrades to the system, and testing,
that have taken place in the intervening 12 months. It would have been wrong
to rely on the system in its debut year because it certainly had some
accuracy issues. Those have now been largely resolved and the system was
used with overall approval from almost everyone It's not perfect, but it's
now more accurate than the 'mark one eyeball' of the line judges. There were
only 4 days out of the whole tournament where the challenges by players
against its performance were upheld more than 50% of the time, after
reviewing the footage.
This system has now been adopted for all of the Grand Slam tournaments
except France, which is a clay court surface.
David Alexander, Towcester, Northamptonshire, England
[Challenges "upheld more than 50% of the time?" That would be an
intolerable error rate for many other situations, such as the Employment
Eligibility Verification System or a terrorist watch list or automated
face recognition, especially on a large scale. On the other hand, some
tennis players are known to have completely lost their cool as a result of
egregious line calls. One might think that the chair umpire would call a
LET instead of letting a "definitive" simulation stand when the margin of
error of the simulation may be much greater than the width of the actual
ball suitably flattened by an overhead smash. PGN]
------------------------------
Date: Wed, 25 Jul 2007 14:49:15 -0700
From: Nicholas Weaver <nweaver@private>
Subject: Re: iPhone Security Flaw (Leeson, RISKS-24.75)
Given the ease of spoofing packets and the other games which can be played
on a wireless network, it wouldn't surprise me if the "person sitting next
to you" could exploit this to infect your system, e.g., by quickly bursting
a HTTP redirect (even before the remote site really completes the handshake
and realizes something is wrong) and then carrying out the exploit through
the redirected page.
------------------------------
Date: Sun, 29 Jul 2007 19:30:33 -0700
From: Richard Grady <richard@private>
Subject: Re: Risk with the Mac OS X 10.4.10 version number (Yip, RISKS-24.72)
Microsoft had an analogous problem when MS-DOS was introduced, way before
the Windows system. The solved it with the SETVER command. This excerpt
explains the purpose of SETVER:
Definition of: DOS Setver
An external command starting with DOS 5 that updates a version table
containing names of programs and the DOS version number they need to run
under. Programs may test version numbers and function differently as a
result (all DOS's are not the same), but some programs didn't plan on DOS
5 and DOS 6 as future numbers. This command "fakes them out" by supplying
them with the version number they need.
http://www.pcmag.com/encyclopedia_term/0,2542,t=DOS+Setver&i=41854,00.asp
Apple needs a version of the SETVER command.
------------------------------
Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman your
FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
------------------------------
End of RISKS-FORUM Digest 24.76
************************
This archive was generated by hypermail 2.1.3 : Tue Jul 31 2007 - 16:55:48 PDT