Subject: RISKS DIGEST 10.72 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 19 December 1990 Volume 10 : Issue 72 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Computer Models Leave U.S. Leaders Sure of Victory (Richard Schroeppel) Re: Voting Technology ... (Brian Rice, Jerry Leichter, Michael J. Chinni, Lauren Weinstein) Re: Legion of Doom (John Boyd, K. M. Sandberg, Brendan Kehoe) Value of data integrity (Mahan Stephen) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 19 Dec 90 14:02:12 PST From: r@fermat.UUCP (Richard Schroeppel) Subject: Re: Computer Models Leave U.S. Leaders Sure of Victory My wife's reaction: Let's just hope Iraq is running the same simulation. War Game Vendor, Telephone Support Service: "Really? ... That's awful. ... I wonder how that happened. ... What version are you running? ... 4.1.3? Oh, yeah, that version has a bug in the enemy tanks. Give me your address, and I'll send you the upgrade to 4.2. ... Does who have it? ... Probably; we sent out the upgrades three weeks ago. You should have gotten it by now. Did you send in your registration card? ..." Rich Schroeppel rcs@la.tis.com ------------------------------ Date: Mon, 17 Dec 90 16:33:50 est From: rice@dg-rtp.dg.com (Brian Rice) Subject: The topic that wouldn't die: telephone voting >From the Associated Press (appeared in the News and Observer of Raleigh, N.C., 17 Dec 1990, p. 2B): "WINSTON-SALEM, N.C.: State elections officials looking over November's balloting say voter fraud has tapered in recent years to 'tolerable' levels. "State Elections Director Alex K. Brock says he foresees a day when North Carolinians will vote by telephone. Their voice patterns will be confirmed and their votes tallied by computer. [...]" Aaack! These three sentences have got to be the most thoroughly alarming I've seen with my morning joe in years, even if I ignore the civil-liberties implications of "tolerable levels of voter fraud," or of making voting difficult without a phone, or even of the state's having (or thinking it has) every citizen's "voiceprint." I 'spec I need to send Mr. Brock some back issues of the RISKS digest. It's alarming when a public official seems not at all to have thought about issues that seem obvious to you and me...and the most recent N.C. elections should have given him pause, his satisfaction with them notwithstanding. Many RISKS readers will have been aware of a recent well-publicized race for office in North Carolina between candidates we'll call A and B. Now, candidate A has for quite some years referred to members of a certain ethnic group as the "bloc vote"--that is, against him--so it was not a surprise when reports surfaced after the election that members of A's party went to a precinct heavily populated by members of that ethnic group and methodically challenged every single voter's right to vote. This is an involved process, involving signatures of elections officials, sealed ballots, etc.; obviously this takes a while, and enormous delays were created, mitigating turnout. I'm refraining from naming the candidates, parties, and ethnic groups involved because I'm not trying to make political hay (yes, I worked for B), because these reports have not been confirmed, and because the party-A folks were acting within the letter of the law. Nonetheless, Mr. Brock apparently hasn't heard the phrase "denial-of-service attack." Sigh. Brian Rice, DG/UX Product Assurance Engineering Data General Corp., Research Triangle Park, N.C. rice@dg-rtp.dg.com +1 919 248-6328 ------------------------------ Date: Wed, 19 Dec 90 09:39:00 EDT From: Jerry Leichter Subject: Voting Technology William Plummer asks about cryptographic technology for implementing secure voting. (He also includes a long ramble about weighting voting by amount of taxes paid, a social and political issue that is completely independent of the technology used to implement elections.) There are, in fact, algorithms to implement such votes. There are some very general algorithms allowing groups of mutually-distrustful people to reach a common decision. (One way such problems get posed in the theory community is as follows: The members of a millionaire's club are curious as to which of them is the wealthiest. However, they are also jealous of their privacy, so none is willing to reveal his actual wealth to any of the others. Devise an algorithm which will indicate which of them is the wealthiest, but which will reveal no other information about their wealth to anyone. Solutions to this problem exist. They are quite non-trivial!) An algorithm designed specifically for voting was described in Josh Benaloh's PhD thesis. (Yale, 1987 or 88 I think.) In Benaloh's basic algorithm, we assume a central government and a public, broadcast network. People vote by posting various encrypted messages on the network. The protocol provides two guarantees: No voter can determine another voter's vote; the government cannot fake the outcome (i.e., any voter can look at the published data and, if the government cheated, determine that fact). In the basic algorithm, the government can read anyone's vote. From this basic algorithm, Benaloh goes on to show how to get by without a trusted government - essentially, one can split the government's responsibilities up among a number of independent agents in such a way that only the collusion of ALL the agents would allow a vote to be read. (The idea is that you would choose to do your voting through the Democratic, Republican, and Libertarian Party clearing-houses, plus for good measure the ACLU and the NRA, figuring that if ALL of them are allied against you, there's not much point in worrying about trivialities like vote privacy.) Finally, Benaloh shows how to construct an election which reveals only the minimum of information: Who won, but nothing at all about the vote totals. Again, the techniques involved are mathematically quite sophisticated. (They are closely related to RSA, but not identical to it.) They are all "efficient" in the theoretician's sense (polynomial time), but not (yet?) practical for a real, large election. If you want further information, at last word mail to benaloh@cs.yale.edu was still being forwarded. -- Jerry ------------------------------ Date: Wed, 19 Dec 90 13:05:05 EST From: "Michael J. Chinni, SMCAR-CCS-E" Subject: Re: Voting Technology >From "William W. Plummer" : > The voting system that I would like to see simply weights your vote > by the number of tax dollars that you pay. We have often heard that the > super wealthy use tax loopholes to lower their tax to zero while manipulating > laws to make this possible. On the other end of the scale, the poor are > accused of using tax supported services far in excess of their tax payments; > the poor tend to vote for candidates that promise to keep up the handouts. > Of course, it is the middle income people that support all of this. So, my > scheme has the appropriate negative feedback built into it. Yeah, negative feedback. TO MUCH NEGATIVE FEEDBACK. The MAJOR problem with your scheme is that government under it would only represent those with the most money (the rich). If your plan was made law, I foresee the rich changing their tax-status and doing their tax-returns so that they are taxed the most. This gives them enough votes to elect ANYONE they want. Regardless of the votes of everyone else. This then makes our country no longer a democracy ruled by the will of the majority, but a country ruled by a priviledged few (kind of what england was like before the Magna Carta or what South Africa is like now). What possible results would this have for the non-priviledged few. Results like: result why no labor laws costly (gives the employee more money and hence more voting power) no financial aid for college costly (more smarts and people might realize that they have effectively no say in the way they are governed) The idea being that everything that has made the life (working and private) of the middle and lower classes better, that is funded by the government or was made possible only by government regulation, would be done away with if it interfered with what the rich wanted. End result - the rich get richer and more powerful and the middle and lower classes become one class - the lower class > A major problem with the system is that it require a constitutional > amendment. In other words we would no longer have "One man, one vote." But I > argue that the Constitution was written before income tax and local taxes > etc. In a sense everybody was taxed equally back then. All this new system > does is to restore the equality of the voting power. Back then it wasn't so much as tax equality as it was to insure that those being governed had an effective way to decide how they would be governed. (insert standard disclaimer here) ...!uunet!pica.army.mil!mchinni Michael J. Chinni, Simulation Techniques and Workplace Automation Team, US Army Armament Research, Development, and Engineering Center, Picatinny Arsenal, NJ ------------------------------ Date: Tue, 18 Dec 90 18:50:53 PST From: lauren@vortex.com (Lauren Weinstein) Subject: telephone voting In a recent digest, a contributor quoted (without attribution) from an original Risks message of mine which pointed out some potential problems with "Dial-A-Vote" systems--particularly in regards to identity issues. He used phrases such as "patently false" and "pandering to the fears of the ignorant", and seemed to feel that other messages pointing out ways to do physical mail voucher voting invalidated the concerns. I'd like to point out that my original message was clearly oriented *specifically* toward the issues of telephone-based voting systems. I was not discussing physical mail-based systems. The author admitted that the issue of disassociating the vote from its origin in a telephone-based system was a serious problem. That's the whole point of my original message! Given the realities of modern telephone technology, there is no way for users of such a system to be sure that their telephone number, and thus their address, has not been tagged by the voting system. Even if the system doesn't need to differentiate among voters in a multi-voter household, the simple capability of automatically correlating vote with voter location should trigger the Risks alarm bells. Anyone who thinks that significant numbers of voters will bother to vote from payphones (assuming such is possible) to avoid such problems is dreaming! Finally, I don't consider pointing out these concerns to be "pandering to the ignorant". Even when there is a theoretical way to do the job right (which isn't always the case), the way the job may actually be done may not avail itself of the correct techniques, in the interests of time, money, or other factors. Unfortunately, it's all too easy for such systems to be made to "sell to the gullible", particularly when attempts are made, however benignly, to minimize discussion of the potential problems involved. --Lauren-- ------------------------------ Date: Wed Dec 19 10:29:41 1990 From: johnboyd@logdis1.oc.aflc.af.mil (John Boyd;CRENP) Subject: Re: Response by Legion of Doom >Date: 9 Dec 90 18:26:16 GMT >From: irv@happym.wa.com (Irving Wolfe) >Breaking and entering is a crime that has two parts: "breaking" and >"entering." If you leave your front door ajar, one need not "break" to >"enter." If a company leaves the door to its office ajar, it cannot accuse an >outsider found walking down its hallway (doing no harm) of any crime, it can >only tell him to leave. Isn't this trespassing? If I arrive home with an armload of groceries, unlock the front door, take say, three steps and set the groceries on the floor, and turn to lock my door and find you standing in my living room, you'll stand a good chance of either getting your butt kicked or shot! From: black@seismo.CSS.GOV (Mike Black) >3. "We are in business to do business...". True, but businesses have a >responsibility to society to ensure their business does not invite criminal >behaviour. And don't people in general have a responsibility to society to behave in acceptable, legal ways? 'The devil made me do it' was never a defense. So far, I don't think the phone companies have been sued as being a party to bookmaking operations. >5. Finally, let's try and define a reasonable person on this matter: >1. When you hook-up a phone line to your computer, a reasonable >person would expect to get calls from unauthorized users. And a reasonable person would expect the company that wrote the software to have made _reasonable_ efforts to defeat entries by those unauthorized users (hard-core, criminal hackers notwithstanding). But then, they've already taken themselves off the hook with those legalese non-warranties. johnboyd@ocdis01.af.mil Disclaimer - If I express an opinion, the Air Force will deny I know what I'm talking about. ------------------------------ Date: 19 Dec 90 16:37:46 GMT From: sandberg@ipla01.hac.com (K. M. Sandberg) Subject: Re: Response to "Legion of Doom" (Wolfe, RISKS-10.70) >Breaking and entering is a crime that has two parts: "breaking" and >"entering." If you leave your front door ajar, one need not "break" to >"enter." If a company leaves the door to its office ajar, it cannot accuse an >outsider found walking down its hallway (doing no harm) of any crime, it can >only tell him to leave. Since people here seem so fond of analogies, I'll >These analogies are silly. How about trespassing? Actually breaking and entering is a good analogy because most computer systems do have a lock, the passwords and accounts, but they are not very strong, like houses. To have not password would be like leaving the door unlocked, but how many companies do this? Cars are also the same, dare you say that leaving a nice car around where someone can see it it causing an it to be stolen? The solution: get rid of everything that might attract someone. Is this what you want? Just how strong of a lock must you have before you are no longer accused of making it easy for someone to break in? >If we are to have a law in this area, it should be simple: Attempting to log >into a computer system or otherwise access it without having been explicitly >invited should be a crime whether or not the attempt succeeds and whether or >not any damage was done. Probably using a normally-public area like an ftp >or anonymous uucp directory should be explicitly excepted, as should a small >number of attempts to log into a system accidentally, provided no hacker-type >activities (systematically guessing passwords, taking advantage of system >defects to gain privileged access, etc.) were involved. > >But if this is to be a crime, it is fundamentally unrelated to old-time crimes >like breaking and entering or car theft. We are making it a crime because >we'd like to discourage it, not because there's a clear moral issue or any >harm being done. There may or may not be. The law is for our convenience, >and has no moral side, and the violator is not to be punished for his evil >character, but merely for having violated a well-known law carrying a >well-known penalty. I'm sorry, but I do think that breaking in to a computer has a moral side. People should take responsibility for their own actions and know that something is wrong and not just because of a law. Society can not, nor should not in my opinion, make a law for every possible thing that can or will be done. A person has to be reasonable and for someone to say that they did not think that breaking into a computer system (getting around the password protection at least) was not wrong is being unreasonable, besides if they didn't think it was wrong, why do they hide the fact that they are doing it? On the computer systems I have been responsible for I have put a notice on login "Unauthorize access is prohibited", which makes it clear that unless you are authorized, you don't belong on the system. Even use by employees can be questioned if they use the system for non-work related things that impact the system, but this is not the intent. Kemasa. It would be interesting if people would listen to what they are saying, but then again others are not listening either, so why should they? ------------------------------ Date: Wed, 19 Dec 90 14:34:29 GMT From: brendan@cs.widener.edu (Brendan Kehoe) Subject: Re: Response to article on "Legion of Doom" sentencing In Risks digest 10.70, Irving Wolfe (irv@happym.wa.com) wrote: > Attempting to log into a computer system or otherwise access it >without having been explicitly invited should be a crime whether or >not the attempt succeeds and whether or not any damage was done. How in the world would such a thing be enforced? Agreed, you'd have to give leeway for the cases like ftp/uucp, accidental attempts, etc. But trying to word such a law would be sheer hell -- the number of loopholes that'd be created would far outweigh the number of benefits. For example: just last night, someone tried to log in as root through FTP to one of my machines. How would this fall under these guidelines? It's an FTP session, so it's got the shadow of "exempt" hanging above it. But wait! It was an attempted login to *the* privileged account, right? True. But the person could easily say they were root on their own machine (assuming it was the same person) and they just hit at the name: prompt before they realized what they were doing, and subsequently were stuck with logging the FAILED LOGIN message. A really messy situation. I completely agree that there should be some sort of law concerning this issue, even moreso in recent months (with the # of attempted logins from unrestricted terminal servers on the rise). But trying to make such a law real would be dangerously close to constantly monitoring every connection for anything that some "objective party" deems suspicious. >But if this is to be a crime, it is fundamentally unrelated to old-time crimes >like breaking and entering or car theft. We are making it a crime because >we'd like to discourage it, not because there's a clear moral issue or any >harm being done. There may or may not be. Exactly. We're trying to take a law that restricts walking pets in the park and make it apply to bringing your adorable scorpion "Spike" for a little jaunt down the block. Brendan Kehoe - Widener Sun Network Manager - brendan@cs.widener.edu ------------------------------ Date: Wed, 19 Dec 90 10:16:00 CST From: Mahan_Stephen@lanmail.ncsc.navy.mil Subject: Value of data integrity I have a few thoughts on the ideas expressed [in RISKS-10.66?] about "no damage being done by an unauthorized user". The data in a computer has value. This applies to software under development, experimental records, financial records, and almost all other forms of electronically recorded data. A large part of the value of the data lies in the knowledge of the integrity of the data and the confidence placed in the data as a result. If an unauthorized used has gained the ability to change the information in the computer then REGARDLESS of whether any information was actually changed the degree of confidence in this information is necessarily lessened. Restoring the original level of confidence in the data will require some finite amount of effort, whether restoring from backups, reconstructing, comparing against old printouts, or other techniques. The amount of effort depends on the value of the data and the willingness to accept a lesser confidence level, as well as other implementation dependent details. Viewed in this respect, unauthorized access to the system does result in losses to the owners of the system whether or not any alteration of the information took place. These are my opinions only and do not necessarily represent any other person or organization. Stephen Mahan, Naval Coastal Systems Center, Panama City, FL 32407-5000 ------------------------------ End of RISKS-FORUM Digest 10.72 ************************