[RISKS] Risks Digest 24.84

From: RISKS List Owner (risko@private)
Date: Wed Oct 03 2007 - 15:27:09 PDT

RISKS-LIST: Risks-Forum Digest  Wednesday 3 October 2007  Volume 24 : Issue 84

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

LAUSD payroll fiasco (David E. Ross)
Assessing personal risk (Jeremy Epstein)
Altered iPhones Freeze Up (Ken Knowlton)
Alameda e-voting results tossed out (Dave Lesher)
Dutch government suspends computer voting (Dik T. Winter, Eric Ferguson)
Re: E-vote 'threat' to UK democracy (Blanche Kapustin)
Re: Memphis center outage (Bill Hopkins)
Re: On-line property assessment databases (Jonathan Kamens)
AOL classified RISKS-24.83 as spam (Ken Knowlton)
Re: Silly "Bad Words" filter (Gary Barnes)
Abridged info on RISKS (comp.risks)


Date: Thu, 27 Sep 2007 16:56:28 -0700
From: "David E. Ross" <david@private>
Subject: LAUSD payroll fiasco

Relating to Steve Bellovin's ``Deploy first, test later'' (RISKS-24.83), a
similar fiasco has been afflicting employees in the Los Angeles Unified
School District (LAUSD) since early this year.  LAUSD is the second largest
K-12 public school system in the nation.

Some eight months after "going live" with their new payroll system,
employees are still receiving incorrect paychecks or no paychecks at all.
The administration does not yet know whether correct W2 forms will be issued
in January.  Employees retiring cannot get correct pension benefits.

Of course, when the new system was deployed, there were no contingency plans
to roll back to the prior system.  By now (after a delay of months), a
roll-back is likely to be impossible.

David E. Ross <http://www.rossde.com/>

  [On 1 Oct 2007, an NPR report mentioned that Deloitte Touche had received
  $95M for the original system, which did not work, and that another $10M
  had been spent on contracts aimed at fixing the system -- which to date
  still does not work.  PGN]


Date: Fri, 28 Sep 2007 15:32:41 -0400
From: "Epstein, Jeremy" <Jeremy.Epstein@private>
Subject: Assessing personal risk

I haven't seen this talked about, although there have been a few blog
comments.  A Sep 24 article in *The Washington Post* summarizes research
done by Dr. Jennifer Lerner at Carnegie Mellon on individual perceptions of
risk.  Not surprisingly to readers of RISKS, people dramatically misjudge
risk - but what was surprising to me is how they did it in contradictory
ways.  WashPost says "Lerner found that anger and fear systematically bias
people's risk estimates in opposite directions.  Anger causes people to
underestimate risks, which may be why drivers in the grip of road rage
confidently attempt perilous maneuvers that place themselves and others in
danger. By contrast, people who are afraid overestimate risks."

The *WashPost* article also discusses research by psychologist David Mandel
of Defense Research and Development Canada, noting "While psychology is not
much use in predicting the future when it comes to terrorism, what it can do
is highlight errors in thinking. Mandel asked people after the Sept. 11
attacks what they thought the risk of a major terrorist attack would be in
the next two months. He then asked his volunteers to estimate the risk of an
attack specifically by al-Qaeda and the risk of an attack by a completely
separate group. Mandel found that when he totaled a person's responses about
the likelihood of each of the subdivided possibilities, their sum was
greater than the person's guess about the overall likelihood of a terrorist
attack."  Also, people misconstrue their own risk vs. the risk to others:
"People invariably see themselves as being at lower risk than the average
person -- they guessed that they had a 1-in-5 chance of being hurt but that
others had a 1-in-2 chance of being hurt. Obviously, these statistics cannot
be true for everyone."

So to bring this back to RISKS, I wonder how these psychological results
apply to technology risks.  Do we underestimate the risk of cyberattacks and
take unnecessary risks (e.g., knowingly going to dangerous web sites, not
running the latest security software) because we think we're immune as
security professionals?  Or are we overestimating our risk because we're
afraid?  I don't have any answers, but the article made me think about risks
and RISKS.



Date: Sat, 29 Sep 2007 09:38:51 EDT
From: Ken Knowlton <KCKnowlton@private>
Subject: Altered iPhones Freeze Up

A software update to Apple's iPhone on Friday disabled third-party
applications and rendered iPhones that had been unlocked completely
unusable.  [Source: Katie Hafner, *The New York Times*, 29 Sep 2007]


Date: Tue, 2 Oct 2007 14:05:51 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Alameda e-voting results tossed out

Judge Voids Election Results Over E-Voting Results That Couldn't Be Audited

Apparently a judge in Alameda County, California, has voided some election
results after the e-voting tallies from Diebold machines couldn't be
audited. The vote was on a controversial ballot measure, where the end
result was quite close.  [Source: Techdirt, 2 Oct 2007, thanks to Dave Lesher]


Date: Sat, 29 Sep 2007 02:06:38 GMT
From: Dik.Winter@private (Dik T. Winter)
Subject: Dutch government suspends computer voting

On 28 Sep 2007 the Dutch government suspended all voting by voting machines.
In a report it was found that the systems were unsafe, not controllable and
did not allow recounting.  So while most of the country had converted to
voting computers, the next vote will again be with a red pencil.  (Amsterdam
was late in conversion, so I only voted once with a machine, but that
machine was already disallowed on the next vote, so we got back to pencil
early.)  The major problems seen are:

1.  There is no way to verify that a machine runs a version of the
    software that is approved.
2.  There is no way to recount if there is a dispute.

The recommendation of the commission that looked into it is to wait for
voting machines that print out a paper recording the vote that you put in a
box.  When counting starts, the papers from the box are collected and
another machine does the counting.  This indeed would reduce a lot of paper
work (I have had A2 format forms where I should make one circle red).  And
there is a clear paper trail, so if a counting machine is not trusted,
counting by hand is always possible.

I think the recommendations are pretty risk-aware, let the machines do what
they can do, but leave a full controllable trail.

Aside: the size of the voting papers is because almost all elections include
fifteen to twenty parties, with up to 50 persons on the list.  And you have
to choose one of those.

And, PS, it is rumoured that the producer of the Dutch voting machines (or
one of its employees) has edited the Wikipedia page.

And finally, Amsterdam (with red pencil voting) had its final results long
before other communities that did use computer voting on the last vote.

dik t. winter, cwi, kruislaan 413, 1098 sj  amsterdam, nederland, +31205924131
home: bovenover 215, 1025 jn  amsterdam, nederland; http://www.cwi.nl/~dik/


Date: Sat, 29 Sep 2007 01:40:50 +0200
From: "Eric Ferguson" <e.ferguson@private>
Subject: Dutch government suspends computer voting

[...] The whole issue of voting machines will be reconsidered from scratch.

Look at "www.WijVertrouwenStemcomputersNiet.nl" for more information, or
look at government sources or newspapers like www.nrc.nl and www.trouw.nl,
with the search term "stemcomputers" and "nedap".

Eric T. Ferguson, van Reenenweg 3, 3702 SB ZEIST Netherlands tel 030-2673638


Date: Sun, 30 Sep 2007 04:07:19 +0200
From: Blanche Kapustin <info@private>
Subject: Re: E-vote 'threat' to UK democracy (Lesher, RISKS-24.71)

I noticed I was quoted in RISKS-24.71, and thought you might want an update.
The BBC interview seems like ages ago, but it was just before the last
presidential election.

First, the laws have since changed and all of our state of Virginia is
looking into new machines.  I've only heard bits of this, but I suspect
we'll all hear much more in the coming months.

Second, I'm not "the election official."  I'm a seasonal employee at the
Office of Elections.  There are plenty of people who know more about
election machines, e-voting, laws, and elections in general than me.  They
are full-time staff at the Office of Elections.

Third, most of the reporters who interviewed us that day got their facts
wrong.  For starters, have you ever heard an American say "tick" in this
context?  We say "check" or "checkmark."  One newspaper stated my name as
Miss Blanche Kapustin, right next to a photo of my hand on the machine's
screen, displaying my wedding ring.  Some misspelled my name.  And many took
bits and pieces of what we said and twisted it out of context.  For example,
one neglected the word "not" in a sentence.  That totally changed the

In any case, if you have any questions, feel free to e-mail me at
info@private  But please disregard anything you read in the
press.  It's outdated, but even at the time, most of it was obviously


Date: Fri, 28 Sep 2007 18:31:58 -0400
From: "Bill Hopkins" <whopkins@private>
Subject: Re: Memphis center outage (RISKS-24.83)

It appears that the only failure in Memphis was the comprehensive
communication system, which appears to put a lot of eggs in one somewhat
fragile basket.

In the olden days, there were separate redundant sets of comm lines for
- receiving radar reports from the sensors,
- co-ordinating with other facilities, and
- talking to the aircraft.

If the radar lines went down, center could still talk to the pilots and the next center.

FTI, the Federal Telecommunications Infrastructure program, replaces all of
these with a single, demonstrably-not-sufficiently-redundant pipe.  It seems to
have been taken down by a single board failure.

Insert appropriate jumping-up-and-down here.  Oh, I may have left an 'r' out
of the subject line.

For the technician's union take, see


Date: Mon, 24 Sep 2007 12:42:01 -0400
From: "Jonathan Kamens" <jik@private>
Subject: Re: On-line property assessment databases (RISKS-24.82)

I have received a number of enlightening responses to my submission about
on-line property assessment databases in RISKS 24.82.  I would like to
share these and my responses to them in turn.

One respondent disputed my claim that before these databases were put
on-line, the corresponding paper records were indexed by address rather than
name.  He wrote, "I don't think that is precisely true with respect to the
land records.  Deeds are indexed by grantor/grantee, not by street

I may have been mistaken in my belief that paper records were not indexed
by grantee.  However, I submit that it's rather easier for someone with
nefarious intent to sit in front of a computer for an hour searching
registries on-line than for him/her to travel in person to registries of
deeds all over the state / country and start pulling books off the shelf
to find someone.

Yes, the information was always public (a point made by other
respondents), but it was not always so easy for the public to gain access
to it.  The information can and should be sufficiently accessible for
people who have a real, legitimate need to access it, but it should at the
same time be sufficiently *in*accessible to dissuade people whose need is
not legitimate.


Another respondent asked if I knew about www.zabasearch.com and
www.intelius.com, both of which (along with others, I'm sure) "provide
lots of name-based info derived from public records." I am indeed
familiar with these services, although I haven't ever paid them money to
find out just how much information they are able to uncover.  As my
respondent noted, the information they provide is derived from public
records, so this goes back to the issue which prompted my initial
submission to RISKS -- the level of information available in the public
records is itself a concern.


On a related note, one respondent noted that there numerous companies which
have made a business out of sending ``data moles'' in person to registries
and other government offices to grovel through paper records and capture
their contents into private databases which can then be used and sold for
various purposes (e.g., I've received numerous solicitations which identify
the amount of my existing mortgage and the lien holder, and I recently
received an official-looking letter offering to provide me with a registered
copy of my deed (which of course I already have) for $60).  He reasoned that
since these databases already exist and are accessible for a fee, it's
reasonable for the government offices to make the data available themselves
for free, to ensure equal access to it.

I see two flaws in this argument:

1. It presupposes that we should in fact be allowing private companies to
collect and disseminate the data.  Perhaps the right answer is not to allow
everyone to access it since these private companies already are, but rather
to restrict access for these private companies as well.  It seems to me that
it would be virtually impossible for such companies to do business in
Europe, given the strict privacy laws there.  With identity theft such a
huge problem nowadays, it is not obvious to me that the European model isn't
closer to correct than ours.

2. These private companies don't give away the data for free; they're doing
the data collection to make money from it, so they charge for it, and even a
minimal fee for access is a decent barrier for dissuading casual use of the
data for nefarious purposes.  It may in fact be perfectly reasonable to
allow third-party databases of this data to exist (although, as noted above,
that's an open question), as long as there are such barriers.

In my opinion, the data in land and assessment records should be freely
accessible on the Internet without any names associated with it.  If you
want to look something up by name, there needs to be some sort of barrier to
doing that, although I don't have a firm opinion about the nature or height
of the barrier.  Some possibilities include fee-based access; appearance in
person at the registry; and being required to show cause for such a look-up
assuming that it isn't for your own data.


Two respondents mentioned Florida's Sunshine Law, which requires the vast
majority of government information to be public and accessible.  While I
understand and to some extent agree with the motivation behind this law,
even this law has exceptions to address safety and privacy concerns, and I
would argue that being able to search land records by name should be such an

Tanner Andrews, a lawyer from Florida, expounded at length about why the
information which concerns me should be public.  Most of the points he made
in his response are irrelevant to my point, since they do not depend on the
information being searchable by name, and thus do not contradict my claim
that whatever minimal benefit there might be from such searchability is
outweighed by the risk. The closest that Mr. Andrews came to explaining why
the database should be searchable by name was this:

"Here in Florida, most of the property appraisers are elected. If you
suspect some partiality, you ought to be able to see what property is owned
by the people who gave the statutory maximum to the campaign. You ought as
well to be able to decide whether those properties appear to be especially
favorably assessed. In areas where the appraiser is appointed you may wish
to do a similar investigation of properties owned by the people doing the

I do not find this argument convincing, because the reality is that the
people doing such investigations are not private citizens but rather
public advocates, journalists, etc.  These people have the time and
resources to find out where "the people who gave the statutory maximum"
and "the people doing the appointing" live.  Once you know where these
people live, you can look up their property values by address, which I've
never argued should be impossible.  Please see my earlier point about
making the information both sufficiently accessible and sufficiently

Mr. Andrews also wrote:

"Furthermore, a dedicated stalker can do the same things for the lady of
his misguided affections. The computer search may save him the half-hour
in the Clerk's office, but someone who has time to stalk probably has time
to visit the courthouse as well."

This is true if a stalker already knows the town or city in which his/her
target resides.  However, as I've noted previously, the ease of access to
these data on-line makes it possible for someone with nefarious intent to
search, quickly, easily and for free, not just a single town or city, but
an entire state or indeed multiple states.  This is hardly comparable to
the example Mr. Andrews gave of a "half-hour in the Clerk's office."


Another respondent mentioned the possibility of keeping one's name out of
land records by assigning the property to a trust rather than to
individual owner(s).  Trusts are complex legal instruments that cost money
to establish, and I hardly think that individual property owners should be
burdened with that expense just to keep their names out of on-line
property databases.  Furthermore, the task of educating at-risk
individuals of the need to utilize such trusts to conceal their location
is a daunting one.


Finally, one respondent informed me that California has legislation
prohibiting the public dissemination of property records with owner names.
I have not been able to verify this, but if it's true, then it indicates
that at least one state understands this problem and has taken steps to deal
with it.  It's not surprising that it's California; they frequently lead on
things like this.


Date: Fri, 28 Sep 2007 18:29:09 EDT
From: Ken Knowlton <KCKnowlton@private>
Subject: AOL classified RISKS-24.83 as spam

  [Fortunately, Ken caught it.  Maybe it was the "silly bad words" item?
  But AOL already had a bad rep for rejecting all sorts of good content.


Date: Thu, 27 Sep 2007 23:29:35 +0100
From: Gary Barnes <gkb@private>
Subject: Re: Silly "Bad Words" filter (Kopka, RISKS-24.73)

Reinhard Kopka wrote of a "bad words" filter that triggered on partial word
matches and replaced the partial match with a cleaner alternative.

In a similar vein, the facility to talk with other players at your table on
Partypoker.com triggers on a part of an innocent word partially matching a
rude word, and so changes "full house" to "YYYY house", which would seem to
be a little overzealous.

  [NOTE: Two out of four letters matching an offensive four-letter word?
  That really is overzealous.  By the way, I changed the four Xs to four Ys
  in an attempt to avoid spam-filtering of *this* issue!  PGN]


Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman your
 FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing


End of RISKS-FORUM Digest 24.84

This archive was generated by hypermail 2.1.3 : Wed Oct 03 2007 - 15:59:28 PDT