Subject: RISKS DIGEST 10.60
REPLY-TO: risks@csl.sri.com

RISKS-LIST: RISKS-FORUM Digest Wednesday 14 November 1990  Volume 10 : Issue 60

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  Contents:
Computer Mishap Forces shift in Election Coverage (bahn_pr)
Voting electronically from home (revisited) (John Roe)
Barclays' security: apologies! (Pete Mellor)
Juicy 911 RISKS (Steve Smaha)
Re: UK Software Engineer Certification (Brian Tompsett)
Software Protection Tool (Dave Erstad)
Sprint's voice-card system (Steve Elias, Jerry Glomph Black)
Re: Carbons (Douglas W. Jones)
Your Flood Stories, Please (Lindsay F. Marshall)
Corrected version of Virus Conf announcement (Gene Spafford)

  The RISKS Forum is moderated.  Contributions should be relevant, sound, in 
  good taste, objective, coherent, concise, and nonrepetitious.  Diversity is
  welcome.  CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive 
  "Subject:" line.  Others ignored!  REQUESTS to RISKS-Request@CSL.SRI.COM.
  FTP VOL i ISSUE j:  ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
  CD RISKS:<CR>GET RISKS-i.j<CR>; j is TWO digits.  Vol summaries in 
  risks-i.00 (j=0); "dir risks-*.*<CR>" gives directory; bye logs out.
  ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
  Relevant contributions may appear in the RISKS section of regular issues
  of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Fri, 9 Nov 90 16:04:31 -0500
From: bahn_pr%ncsd.dnet@gte.com
Subject: Computer Mishap Forces shift in Election Coverage

The Washington Post, New York Times and USA Today had ordered national vote
trend analyses from Voter Research and Surveys, a company set up to do exit
poll surveys and have the results analyzed by 3:30pm on Election Day, 6 Nov 90.
A computer glitch prevented the results from being available at all on that
day.  VRS had the data, but the weighting program did not work.  [Abstracted by
PGN from `Computer Mishap Forces shift in election coverage, Major Newspapers
faced with delays in polling data', by Lynn Duke, staff writer Washington Post,
7 Nov 90]

  Now what i found interesting was the idea of Sam Donaldson screaming into
  some programmers ear while a camera is pointed on him. "Fix the program or
  we'll do a story on you buddy."  :-)

  There are some interesting risks.  First that unclean data was used and
  second that the big news agencies now all use the same polling source.  What
  a risk if someone hacked them to create false trends.  [bahn_pr]

------------------------------

Date: Mon, 12 Nov 90 13:27:39 MST
From: John Roe <johnr@hpltbg.fc.hp.com>
Subject: Voting electronically from home (revisited)

A Boulder CO group has rediscovered Bucky Fuller's 50-year-old suggestion that
everyone should be able to vote telephonically from home or wherever.

  "The system is based on a personal computer hooked into [the] telephone
  line.  [Local activist Evan Ravitz] also loaded a list of registered Boulder
  County voters into the computer's memory, and the system checks names against a
  six-digit code based on date of birth.  Callers enter their selections for
  the ballot by entering numbers on a Touch-Tone telephone.  [...]

  "Boulder County Clerk and Recorder Charlotte Houston ... placed a call to the
  system on Monday and found that could could have voted for her son and
  daughter by providing their birth dates or Social Security numbers."

[Abstracted by PGN from `Phone voting?  Boulder group says it's time', an AP
story from the Loveland, Colorado, Reporter-Herald, 6 Nov 1990.]

I found this article alarming for a number of reasons:

First, the possibilities for massive fraud are probably obvious to all
RISKs readers.  For example, if (as implied by the article) one can vote
for another by simply knowing either the birth date or their Social
Security number, with the hardware already in my own basement plus an
appropriate database (which shouldn't be too hard to come by) I could have
easily changed the outcome of a number of races and constitutional
amendments here in Colorado during the November 6th election.  With a
concerted effort I could have chosen any candidate I wished.  If I knew
which registered voters had not voted recently, I could even make a
reasonable effort at making my fraud somewhat less detectable.

Second, I was disturbed (but not surprised) that the article emphasized the
"gee-wiz" aspect of the idea, but mentioned the RISKs only in passing, and
ended with a statement that implied that concern over fraud were irrelevant and
paranoid.  The token assurances of Mr.  Pelton only serve to support this
perception.  I have come to expect that the popular press is ill-equipped to
understand, evaluate, and explain the risks of technology to their readers (or
viewers, in the case of television).  This latest example only reinforces my
expectations.

Finally, and perhaps most significant, was the cavalier attitude of Mr. Ravitz
toward the possibility of fraud, and his obvious lack of understanding of the
problem.  The current system is NOT based on honesty: it is based on physical
security.  If it is sufficiently hard for the same person to vote multiple
times, voter fraud can be reduced to acceptable levels (but not eliminated, of
course).

In my precinct, I could conceivably vote two or three times before the election
officials would start getting suspicious.  If I spent the entire day driving
around to various polling places in northern Colorado, I could perhaps vote a
few dozen times.  But to influence the outcome of the election would require a
large number of cohorts; a task I could accomplish by myself from the comfort
of my own home if Mr. Ravitz's proposal becomes law.

I wonder if we would be permitted to vote on changing Colorado's election laws
to permit voting by phone, by voting by phone?  The outcome of such a vote
could be enlightening ...

John Roe, Hewlett-Packard, Colorado Integrated Circuits Division, 3404 East
Harmony Road, Fort Collins, Colorado 80525-9599              (303) 229-4554

------------------------------

Date: Tue, 13 Nov 90 11:30:57 PST
From: Pete Mellor <pm@cs.city.ac.uk>
Subject: Barclays' security: apologies!

In RISKS-10.50, in an item entitled "Hackers blackmail five banks (UK)", I gave
excerpts from a newspaper report about the breach. I followed this with an
anecdote told by the manager of the local branch of a chain of off-licences,
who found that, after sending in his completed order to the main warehouse,
what appeared to be credit card transactions from Barclays' Bank were displayed
on his screen.

Shortly thereafter, I received a phone call from the head of Information
Security at Barclays, who was puzzled by the incident, and requested further
information. Barclays' investigation revealed that the credit card transactions
were in fact records of purchases made using the particular card at that
off-licence, and others of the chain in the area. There was therefore no breach
of security, since, of course, the manager had the right of access to that
information. The incident was *not*, as I first thought, due to unencrypted
transactions being transmitted over the public telephone lines being received
by the wrong terminal. The only problem appears to have been a minor glitch
which caused a file of credit transactions on the local machine to be displayed
when my friend was not expecting it.

So apologies to Barclays Bank!

I hope that Barclays' security department are happy to let me set the record 
straight via RISKS, which they obviously monitor, and perhaps they would care 
to add some comments of their own.

Moral: Check your facts before passing on anecdotes which you hear in pubs!

Peter Mellor, Centre for Software Reliability, City University, Northampton 
Sq., London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 p.mellor@uk.ac.city (JANET)

------------------------------

Date:  Sun, 11 Nov 90 13:51 EST
From: Steve Smaha <Smaha@DOCKMASTER.NCSC.MIL>
Subject:  Juicy 911 RISKS

"911 calls are ripe for trouble"
11 Nov 90 Austin American-Statesman, BLACKSBURG, VA (AP) 

These are hardly salad days for Montgomery county law officials.  Last week,
police were testing the county's 911 system, scheduled to begin operating next
month, when the dispatcher received 10 calls that were traced to the home of
Linda and Danny Hurst.  She tried to call the line, but it was busy.  When she
hung up, she received another call from the same line.  And another.

Deputy sheriff tracked down Linda Hurst.  "I told them I'd locked my house and
there shouldn't be anyone in there," she said.  Police, concerned that someone
had broken in, asked Hurst to meet them at her house.  She parked in front of
the house, and walked up to the front door.  "But they said, 'Ma'am, step back
please.'  I looked back and they had their guns drawn.  They were serious,"
Linda Hurst said.  "They went through the house, but they couldn't find
anybody, so I went inside."

Finally, Linda Hurst's brother spotted the culprit - an overripe tomato.  The
tomato was hanging over the telephone in a wire basket, dripping juice into the
couple's answering machine.

Chief Deputy Milton Graham said the tomato juice apparently got into the
telephone's dialing system and caused it to dial the sheriff's office.  "We're
not sure how.  Maybe they had speed dialing and it shorted out," he said.  "I
didn't know the answering machine could even dial out," Linda Hurst said.
"It's just supposed to take messages."

------------------------------

Date: Mon, 12 Nov 90 12:24:00 GMT
From: Brian Tompsett <bct@cs.hull.ac.uk>
Subject: Re:  UK Software Engineer Certification

This note supplies greater detail about the steps involved in the certification
of Software Engineers in the UK. It is in response to several inquiries
requesting more detail after my last contribution to RISKS (Sept 21, 1990).

In answering the questions let me point out that the UK does not have Software
Engineering *specific* certification. Nor does it have *certification* in the
strict sense that is being discussed in the US at present. When I have detailed
the routes available in the UK you can decide for yourself how this relates to
what does/will exist in the US.

Let me start by describing the qualification route from High School through the
maze of qualifications and certifications. I can deal with how existing
Engineers fit into the picture later.

      .------------------ Government --------------.
      |   Approves                     Charters    |
      |   Curriculum                   Body        |
      v                                            |
  High School                                      |
      |                                            v
      | University                              Engineering
      | Entrance                                Council
      | Exams                                      |   Accredits
      |                                            |   Society
      v                                            v
  University <-------Accredits Degree Course--- Professional
      |                                         Society
      | Accredited                              |  |
      | Engineering                   .---------'  | Join Society
      | Degree                        |            | 
      v                               |            v
  Graduate                            |         Student member
  Employment <--Approves training-----'            |
      |                                            |  Get experience
      | Certified                                  |  
      | Engineering                                |
      | training and experience                    |
      v                                            v
  Chartered                                   Corporate Member
  Engineer-------------------.                     |
  Status                     |                     |  More
      |                      |                     |  Experience
      | Outstanding          |                     |
      | Achievement          |                     |
      v                      v                     v
  Fellowship              European        Fellowship of Society
 of Engineering           Engineer

The route illustrated in the above diagram is not specific to Software
Engineers, but is the generic model for all Engineers in the UK. The student
starts by taking a degree course at a University; this may be a B.Eng, M.Eng or
B.Sc. degree. In order for this degree to be considered a suitable education
for an Engineer the course must be accredited by the appropriate professional
body. The accreditation examines the curriculum, the facilities, the teaching
department and the institution itself. After graduating the student is expected
to take a position that will provide practical engineering training and real
experience. The training and experience is logged in the graduates own
engineers logbook and signed-off by qualified engineers and trainers. The
professional society provides the employer with the basic structure for this.
When the Graduate Engineer has gained sufficient experience (minimum 4 years)
he may apply to be a Chartered Engineer. Admission to Chartered Engineer can
only be made through a professional society and normally corporate membership
of the society requires the same entry qualifications as Chartered
Engineership. On joining the society the member is required to follow
professional code of conduct and code of practice. The admission procedure
involves vetting the applicants qualifications, receiving references from the
applicant's sponsors who are normally two other professional members and an
interview.

The Professional Society itself is accredited by the Engineering Council. The
accreditation examines the Societies methods and procedures for admission,
course accreditation and so on. The Engineering Council needs to ensure that
Engineers from all the different disciplines are equally qualified to be
Chartered Engineers. The area represented by the Society must also be one that
is considered as Engineering. This was a major hurdle for the British Computer
Society to show that "Information Systems Engineering" is Engineering and
qualified practitioners are worthy to be Chartered Engineers. This process took
four years.

The Pan-European Engineering element should also be noted. Someone qualified
as a Chartered Engineer may also apply for the title "European Engineer". This
is a title that is recognised across Europe. It also has its own code of
conduct in addition to the one applied by the professional society. A fully
qualified Software Engineer in the UK would therefore be attributed as:

  Eur.Ing John Doe B.Sc, C.Eng, MBCS     (or similar.)

Others may qualify as Chartered Engineers who do not follow the above route.
They may have become Software Engineers before the terms Computer Science or
Software Engineering existed, or have switched disciplines and previously
qualified in something else. They may have no formal qualifications at all and
have come into the profession through experience alone or they may have
overseas qualifications and experience. These groups of people are admitted
after having their qualifications and experience verified in a similar manner
to other applicants. Their education and training is compared to the standard
curricula. This sometimes involves examination of the students class
transcripts and the details of the course syllabus. In the absence of a
contemporaneous experience and training record a detailed Curriculum Vitae
needs to be validated. This usually involves finding other Engineers who can
act as referees and certify that the actual work experience claimed actually
took place and was of sufficient quality. This is usually done by initialing
copies of the curriculum vitae item by item.

Just to confuse the issue, the UK has a Software Engineering Examination Board
who issue certificates of competence in Software Engineering. These are not
related to the kind of Software Engineer certification we have been discussing.
The SEAB is involved in the training of people in the SSADM method that has
been mandated for use on UK Government work.
 
 Brian Tompsett, Computer Science, Hull University.

------------------------------

Date: 9 Nov 90 17:06:00 CST
From: "DAVE ERSTAD" <derstad@cim-vax.honeywell.com>
Subject: Software Protection Tool

In the October 18th issue of Electronic Design News there's a blurb about a new
product which obfuscates source code by changing variable names, removing
comments, etc.  The intent is to allow software to be distributed in source
form while still protecting proprietary knowledge.

The RISKy part is what some people believe (either the company or the reviewer,
I'm not sure which).  The last statement in the article is

"Distribution also ensure that the producer receives virus-free code, because
VIRUSES CANNOT OPERATE IN SOURCE CODE" (emphasis added).

Dave Erstad, Honeywell SSEC           DERSTAD@cim-vax.honeywell.com

------------------------------

Date: Sat, 10 Nov 90 14:17:36 -0500
From: Steve Elias <eli@PWS.BULL.COM>
Subject: complaints about Sprint's voice-card system

These complaints about Sprint's voice-card system are a bit silly!
Where do yall get the idea that Sprint insists that one use their SSN
as their ID number?  A friend at US Sprint confirms that their internal
literature makes no mention of forcing people to use their SSN.

Until you get some evidence that Sprint will not allow people to use numbers
other than their SSN, please refrain from flaming!
                                                            /eli

------------------------------

Date: Fri, 9 Nov 90 16:49:14 EST
From: black@ll-null.ll.mit.edu (Jerry Glomph Black)
Subject: Sprint's New Calling Card

Obviously using the Social Security number as the basis of your FONCARD
security number is pretty dumb.  However, WHO tells Sprint this number?
Presumably YOU, the customer.  So, just feed them a number sequence which has
high mnemonic value for you.  Like maybe your phone number, or a slightly
modified version of same.  I've memorized my 14-digit `random' FONCARD number,
but I use it a lot.  Sometimes it's annoying to dial 11 digits of access
code(1-800-877-8000), then the 11 digits of the destination number, then the
bloody 14-digit number.  My wife refuses to do this, so we got an AT&T card,
where all you have to remember is FOUR DIGITS (tacked on to your 10-digit home
number, which you presumably know).  Anybody know why Sprint didn't just adopt
this method?  Chauvinism?

Even the police-state People's Republic of Massachusetts allows you to specify
a bogus SS No. for your driver's license, instead of your real one, so long as
your bogus no. doesn't duplicate somebody else's license no.  I recently took
out a Hawaii driver's license, and they DEMANDED (over my vociferous objection)
the SS No. or else!  I'm not mega-paranoid, so I complied.  Any Federal privacy
laws involved here?

Jerry Glomph Black, black@MICRO.LL.MIT.EDU

------------------------------

Date: 9 Nov 90 21:31:15 GMT
From: jones@pyrite.cs.uiowa.edu (Douglas W. Jones,201H MLH,3193350740,3193382879)
Subject: Re: Carbons (RISKS-10.59)

> I saw that all messages printed on the FAX, are also 'burned' in the carbon
> paper ...  This means that even if I stand next to the machine to receive
> a private message, people can later just open the FAX machine and read the
> message.

This is not a new risk!  For years, typewriters that use a carbon film ribbon
have recorded every word typed on their ribbon.  All you have to do to find out
what was typed on a typewriter is to take out the ribbon cartridge, pull out
the used ribbon and read it.  The more errors and corrections made during tye
typing, the more garbled the ribbon will be.  The risk is at least as old as
the IBM Selectric typewriter, and is well-enough known that it has appeared in
many cheap detective stories.
              					Doug Jones

------------------------------

Date: Mon, 12 Nov 90 16:16:05 GMT
From: "Lindsay F. Marshall" <Lindsay.Marshall@newcastle.ac.uk>
Subject: Your Flood Stories Please.

Can anyone who has suffered a problem at their installation caused by water in
*any* form (or in fact any other liquids....) or who has heard of such events
please send me a summary of your experience.  Information will of course be
treated in confidence if you should so desire.
                                                         Lindsay

MAIL : Lindsay.Marshall@newcastle.ac.uk (UUCP: s/\(.*\)/...!ukc!\1/)
POST : Computing Laboratory, The University, Newcastle upon Tyne, UK NE1 7RU
VOICE: +44-91-222-8267 		FAX: +44-91-222-8232

------------------------------

Date: Fri, 09 Nov 90 21:04:16 EST
From: Gene Spafford <spaf@cs.purdue.edu>
Subject: Re: Corrected version of Virus Conf announcement (Re: RISKS-10.59)

The following address was missing from the announcement of the 
4th Annual Computer Virus & Security Conference, in RISKS-10.59:

	Dr. Richard Lefkon
	Virus Conference Program Chair
	609 West 114th Street
	New York, NY 10025
	(212) 663-2315

------------------------------

End of RISKS-FORUM Digest 10.60
************************