25-Feb-86 17:40:50-PST,8469;000000000000 Mail-From: NEUMANN created at 25-Feb-86 17:39:18 Date: Tue 25 Feb 86 17:39:18-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-2.16 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Tuesday, 25 Feb 1986 Volume 2 : Issue 16 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Volunteers to study security of computerized voting booths? (Kurt Hyde) Our Economy Is Based On Electricity (Jared M. Spool) Misdirected modems (Jared M. Spool) The Titanic Effect (Earl Boebert) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j stored in SRI-CSL:RISKS-i.j. Vol 1: MAXj=45) ---------------------------------------------------------------------- Date: Tuesday, 25 Feb 1986 04:45:16-PST From: hyde%topcat.DEC@decwrl.DEC.COM (Kurt Hyde DTN 264-7759 MKO1-2/E02) To: risks@sri-csl.ARPA, self%topcat.DEC@decwrl.DEC.COM Subject: volunteers to study security of computerized voting booths? How secure are computerized voting booths? I teach Systems Analysis at a local college here in Nashua, NH. For the last two years, my students and I have been studying the impact of computerization on voting security. The recent charges of fraud in Mexican and Phillipine elections increase the importance of such studies as computers are now being implemented into three areas of voting -- maintaining voter registration lists, tallying of votes, and directly computerized voting. Last year's class discovered that an OEM was manufacturing a computerized voting booth. Further research has revealed that the company's strategy for ensuring security is secrecy of operation. Secrecy of operation increases the difficultly in penetration, but it also has a negative side effect of making it difficult (if not impossible) to detect tampering. There are many documented cases of accidental miscalculation in computerized vote tallying equipment. The reasons why such errors were discovered is because reconstruction and recount was possible. Investigators reconstructed by gathering the machine-readable ballots. They were then able to recount by machine or by hand. Such reconstruction is impossible with the current state of the art in computerized voting booths because no physical ballots are created. Recounts in such cases are wholly dependent upon the software to have stored each vote in its proper storage location at the time of voting. As far as I can tell, no computerized voting booth has ever been subjected to product testing by hackers. I discussed this with the chief engineer at the first company to make computerized voting booths. He agreed with me in a phone conversation that such testing would be nice and that he was open to the idea. However, the only way to get something done in this area is for concerned citizens to try it. There are now at least three companies either making or planning to make computerized voting booths and, according to the FEC, they all intend to rely on secrecy of operation for security. Oddly, none of the companies have named their flagship products "The Titanic". Do you think these people have developed perfect, unbreakable codes? Some associates of mine and I think not. In fact, we have begun to formulate some testing strategies. I've done a lot of work myself, but I now need some expertise in the areas of cryptography, decompiling programs, and MS-DOS on IBM PC. Perhaps we can avoid having a Marcos-Aquino style problem here in America. Kurt ------------------------------ Date: Tue, 25 Feb 86 11:47 EST From: Jared M. Spool Subject: Our Economy Is Based On Electricity To: risks@SRI-CSL.ARPA Last week, on payday, I was informed from our efficient payroll department that my bank account would not be credited with my automatic deposit of my paycheck for a couple of days. The reason that was given was a "Power Blackout In The LA area". (Our payroll is handled out of our LA office, while R&D is on the east coast. I don't know the reason for this polarization. I think it has to do with opposites repelling or something.) A lot of our economy is based on things that use electricity. While battery backups are not uncommon in computer systems, what percentage can withstand a 24 hour blackout? How about 48 hours? If NY were hit with a 48 hour blackout, what would happen to the NYSE? I realize that there are lots of social things that happen during blackouts (like rioting and baby booms), but these things tend to be localized to the area of the outage. But, as I stated above, I need a cross country connection to get paid. How much of our economy would be downed because of something like this? ------------------------------ Date: Tue, 25 Feb 86 11:31 EST From: Jared M. Spool Subject: Misdirected modems To: RISKS FORUM From: Alan Silverstein Date: Mon, 24 Feb 86 11:12:54 pst Subject: misdirected modems Twice recently, computers at our company (Hewlett-Packard) have been the embarrassing causes of telephonic annoyance. Phone numbers entered incorrectly in uucp L.sys files, due to typos or misunderstandings, have led to systems repeatedly calling private telephones in Fort Collins. [...] I bet this happens a lot more than anyone realizes or admits. I'll admit it. Four jobs ago, I worked at (what was then a startup) as one of two developers on a electronic mail package using regular phone lines as the network. We used to test the product, over night, by having the five test machines try to send and receive 100-200 messages (per machine) over the five phone lines. (We did this in batches of 20 messages.) The tests were set to start anywhere from 11:00 p.m. to 3:00 a.m. and could go 2-3 hours in length depending on how we set them up. Different machines would have different starting and length times. The product worked, such that if the phone was busy or didn't answer, (the modem couldn't detect the difference,) it would try again after a certain delay (approx 15-20 minutes) until it failed 10 times. The test was set up that each batch would generate only one phone call. One morning, after running such a test, I noticed that, on one of the machines, all of the batches set to go to a second machine didn't make it, while all of the batches for the other three machines did. On further investigation, I determined that the phone number for the second machine was incorrectly typed into the sending machines database. It turned out to be a residence, and an apology was made. We double checked our test sets before starting them, after that. In conclusion, it is very easy, with today's technology to do such a thing. Modem technology has even progressed that the modems themselves redial the numbers until a connection is made, with no regard to the fact that there will never be a machine on the other end. We have always had wrong numbers. However, when a human dials a wrong number, there is (almost) immediate confirmation that the number is wrong, and a second or third or tenth retry is not attempted to the same number. Maybe what we need is a touch tone code (or something) that one can enter into a modem that says "The number you have is wrong, go away." ------------------------------ Date: Tue, 25 Feb 86 18:21 CST From: Boebert@HI-MULTICS.ARPA Subject: The Titanic Effect cc: risks@SRI-CSL.ARPA This rule is, I believe, actually an instance of the 28th Axiom of Systemantics: "When A Fail-Safe System Fails, It Fails by Failing to Fail Safe." All 32 Axioms, the Four Basic Postulates, and Corollaries can be found in the delightful _Systemantics_ by John Gall (Quadrangle/NYT Books, 1977, ISBN 0-8129-0674-8), which deserves to be better known. Earl ------------------------------ End of RISKS-FORUM Digest ************************ -------