RISKS-LIST: RISKS-FORUM Digest Monday 21 November 1988 Volume 7 : Issue 81 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computerized voting problems in Toronto (Amit Parghi) NH State Republican Convention Computerized Voting Standard (Kurt Hyde) Ethics (Hugh Miller) Re: Teaching "Ethics" (Brint Cooper) Decompiled Source (Phil Karn) Re: Risks of unchecked input in C programs (Henry Spencer) Smart Roads (Robert Brooks) IFF & UK Toll Roads (Nigel Roberts) Re: "Electronic number plates" (Allan Pratt) Re: UK vehicle-identification systems (John Haller) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Sun, 20 Nov 88 18:13:44 EST From: Amit Parghi Subject: Computerized voting problems in Toronto Organization: Computer Graphics Lab, University of Waterloo From _The_Globe_and_Mail_, Saturday, 19 November (reprinted w/o permission): Machine misses 1,408 votes, Toronto clerk wants recount by Sean Fine Toronto's city clerk is asking council to order a city-wide recount after 1,408 votes in Monday's [14 Nov.] civic elections went unread by sophisticated new machines. [...] "We want the integrity of the election to be upheld," deputy clerk Barbara Caplan said in explaining why all 16 city wards, plus the Metro Toronto wards and trustee races, should be retabulated. Ms Caplan said the recount could affect the outcome of only one city race, the three-vote victory for reformer Malcolm Martini over conservative Michael Walker in Ward 16. As well, three school trustee races could be affected. But a battle may occur over the manner of the recount. The clerk's office wants to give the machines, purchased recently at a cost of $1.6 million (Canadian), another chance. Ms Caplan said the computerized vote-counting machines were not to be faulted. An error in the printing or cutting of ballots put them "off- register," or off-line, meaning they could not be scanned by the machine, she said. In the recount, those ballots that are not read by the machine would be tabulated manually, she said. [...] In the city's closest race, which pitted Mr. Walker against Mr. Martini, Mr. Walker, a six-year veteran of council, was initially declared the victor Monday night. On Wednesday, the clerk's department discovered errors in manual addition and Mr. Martini emerged the winner by three votes. Now the entire ward race is in question since 81 ballots were not read by the machine. [...] In no other city ward, and in none of the eight Metro wards located in the City of Toronto, was the margin of victory smaller than the number of unread ballots. The number of ballots not read ranged from a low of 47 in Ward 4 to a high of 237 in Ward 12. [...] Under law, the ballots would have to be read in the same fashion - that is, by the machines - as on election day, Ms Caplan said. Only those ballots rejected by the machines would be read manually. ------------------------------ Date: Mon, 21 Nov 88 12:32:19 PST From: hyde%isws23.DEC@decwrl.dec.com (Have Rdb Manuals -- Will Travel 264-3839 MKO1-1/B02) Subject: NH State Republican Convention Computerized Voting Standard Resolution The following resolution was the only proposed resolution which passed at this year's New Hampshire State Republican Convention: WHEREAS The State of New Hampshire has set no minimum standard for computer security in computerized voting, and WHEREAS The state of the art in computer crime has progressed dramatically in the last few years to now include virus programs which can transmit themselves from one computer to another without active participation by the computers' owners, operators, or users, and WHEREAS The State of New Hampshire has computerized voting equipment, some of which: o Does not have the ability to recount manually, o Does not have the ability to recount at all, o Uses secrecy of internal procedures as a primary security strategy, o Does not give the voter the ability to ensure the computer has voted as instructed, NOW THEREFORE, BE IT RESOLVED that the Republican Party of the State of New Hampshire calls upon the Legislature of the State of New Hampshire to enact legislation that would establish the following minimum computer security features for any further expansion of computerized voting or vote counting: Computerized voting equipment must either produce a manually recountable ballot for the voter's inspection prior to electronically casting the voter's ballot or use as its input a ballot which can be used in a manual recount. Submitted by Kurt Hyde, Delegate from Weare. This proposed standard is essentially the same one proposed at the first National Symposium on Security and Reliability of Computers in the Electoral Process at Boston University in August of 1986 (Co-chaired by Eva Waskell and myself). Many thanks to the RISKS Forum members who participated in the development of this standard during 1985 and 1986. Kurt ------------------------------ Date: Wed, 16 Nov 88 23:39:09 EST From: Hugh Miller Subject: Ethics Stan Stahl, in RISKS 7.75, writes: > The critical bottom line, and it is one that shouts out to us in the > wake of the RTM worm, is that we absolutely must begin to take the > teaching of ethics seriously. Some school districts are beginning to do > this and they are to be commended for it. Perhaps if everyone were > exposed to ethics courses, beginning in the early grades and continuing > through computer ethics courses and business ethics courses, etc, then > it would be clear `in the entire community what is and what isn't > ethical behavior.' In my experience teaching ethics here and at McGill University, such courses have little direct effect on the moral behaviour of the students taking them. About all that can be expected -- and this is the *maximal* result -- is that the students will be made aware of one more set of constraints they must operate within: a code of professional ethics. (In those states which permit them. Many don't.) Like all such codes, the extent to which they are taken seriously has much more to do with upbringing, personality, generally accepted broad social norms, peer pressure, etc., than with schooltime pedagogy. Clever people, or persons thinking themselves above or outside the rules, always find excuses for circumventing them. Scientific pursuits in general, and mathematical/logical ones in particular, due to the glamour and the cachet of difficulty attached to them, encourage adepts in such beliefs. The famous technological imperative is at work as well: do what is "technically sweet" first, and ask whether it was good after all once it's done. The novelist Walker Percy in one of his books quotes "a scientist's prayer, if scientists ever prayed, which they don't: `Lord, grant that my work lead to the betterment of the human condition, and not the reverse. Failing that, Lord, let it not lead to the complete destruction of mankind. And, failing that, Lord, please don't let the end come before my article is published in *Brain*.'" And, frankly, the general culture we live in worships at the altar of Expediency, not Justice or Virtue, so one cannot expect much help there. Further, most `ethics' instruction at the university level with which I am familiar proceeds along lines so shallow and analytical that it completely fails to engage the spirit of the listener. One doesn't have to be a devotee of Allan Bloom or his ilk to see this. However dedicated and forceful the teacher, the material taught is so unchallenging and `conservative' (in the sense of supporting the *status quo*) that even the very young see through it and hit their mental channel-changers. To explain why this is so would require a long discussion, descending occasionally into rant and tirade, of the practice of moral philosophy in the English-speaking world in the 20th century, the which I will spare us all. Suffice it to say, the first ethics course most students take is, in my overwhelming experience, the last. This is not to say that I oppose teaching ethics. Obviously, if such teaching does nothing more than lower the rate of mischief in general circulation by a little bit it is A Good Thing. I merely wish to point out the limitations of all such pedagogy. The teacher in *Stand And Deliver*, please note, was NOT teaching ethics. Hugh Miller, University of Toronto, MILLER@UTOREPAS.BITNET ------------------------------ Date: Thu, 17 Nov 88 11:58:50 EST From: Brint Cooper Subject: Re: Teaching "Ethics" Eric Roskos writes, > In an Ethics course, the most you can do is discuss ethical paradigms, which > include systems of ethics in which it is entirely acceptable to engage in any > activity that benefits you ("situation ethics" are an example of this). We're missing something in this discussion. A few digests back, someone observed that post-Watergate attorneys began taking ethics courses as part of their training. But I don't believe for a moment that the purpose was to "teach" ethics to the attorneys. It was simply to get on the record that the attorney had studied ethics so that he could not later claim ignorance of ethical concepts or their irrelevance to his/her professional conduct. By this, ethical considerations can now legitimately be raised in disciplinary proceedings. It may come down to this in Computing Science as well. _Brint ------------------------------ Date: Thu, 17 Nov 88 13:02:35 EST From: karn@ka9q.bellcore.com (Phil Karn) Subject: Decompiled Source (Re: RISKS-7.79) Some argue that the decompiled source code to the Internet worm shouldn't be released because that would make it easier for someone to turn it into something really damaging. This is a specious argument. Anyone can modify the worm's object file into something very malevolent, and it doesn't even require the use of adb. Just write an exit() that actually does "rm -rf /" followed by an infinite loop, and link it to the worm object file using ld -r so it can be the subject of another ld run. I simply refuse to believe that I'm the only person to think of something like this. The only "sensitive" information contained in the worm source is the security holes it exploits, and these are now very widely known. The worm is completely powerless without them, and you don't need the worm to exploit in much worse ways a system that still has the holes. On the other hand, there are a lot of people who have perfectly legitimate reasons for wanting to see that code. I, for one, would very much like to show my management and our security staff exactly what it did (*and* did not) do. Although I personally have no reason to believe that the analysis prepared at MIT and Berkeley is not complete, it is just not the same thing as having the actual source in hand when trying to reduce the general paranoia level in others. Phil ------------------------------ Date: Sat, 19 Nov 88 00:22:36 EST From: attcan!utzoo!henry@uunet.UU.NET Subject: Re: Risks of unchecked input in C programs A small error of fact in Bill Stewart's contribution: >I've always been dissatisfied with the printf/scanf family - field widths are >hard-coded in the format strings, with no way to parameterize them except >building format strings on the fly... Not true, and it hasn't been true for a long time. A field width or precision specification of '*' means "pick up an integer from the parameter list at this point". Either Bill has a very strange version of Unix or he just missed this in the manual page -- it's been there at least since V7, which came out nearly ten years ago. Henry Spencer at U of Toronto Zoology uunet!attcan!utzoo!henry henry@zoo.toronto.edu ------------------------------ Date: Fri, 18 Nov 88 15:35:22 pst From: Robert Brooks Subject: Smart Roads Many articles have appeared recently about "smart roads"; systems in which communication of some sort between roads and vehicles enable such things as automatic toll assessment, route planning, traffic jam avoidance, etc. Much concern has been expressed about the Big Brother potential of such systems. But this is by no means an essential hazard. The transponders, barcode tags, or whatever could be purchased anonymously, and authorization to cross various toll points n times purchased in advance, like postage stamps. Attempting to pass without prepaid authorization triggers a buzzer, light, gate, or something directing one to a conventional toll booth. Those who proceed anyway are chased down like someone who goes through an ordinary toll booth without paying. Any technological advance is greeted by cries of "it won't work" and irrational fears. Smart roads are no exception. We should indeed protest implementations of the technology which are invasive to privacy, but suppress Luddite urgings to abandon it altogether. ------------------------------ Date: 17 Nov 88 17:25 From: roberts%untada.DEC@decwrl.dec.com (Nigel Roberts, G4IJF) Subject: IFF & UK Toll Roads IFF (Identification Friend or Foe) and Toll Roads in the UK Fitting IFF to cars Chaz Heritage and others raise genuine concerns about the possibilities for intentional and unintentional misuse of such a hypothetical system. However I do feel some of the more fantastic possibilities are unlikely to materialise. (Of course other risks, maybe with even worse consequences than already imagined might, so don't stop discussing this!) European Single Market From 1992, all goods sold in the Single Market must conform to common specifications. As a result, National Type Approval for cars will be replaced by a type approval for the whole of the EEC. (This, in fact will apply to all goods & services, but we are discussing cars here) For example, the U.K. would like to introduce a requirement for U.S. style third brake lights. However before it can do this, it needs all the other member countries to agree. So to REQUIRE the fitting of an IFF-style device, it must be agreed by all the EEC countries (and it must then conform to a common standard). The British consumer may in its lethargy accept Big Brother, but here in W. Germany there would be a revolution if such an intrusion into privacy was even so much as suggested. (There was enough outcry when machine-readable passports/national ID cards were introduced; this was somewhat pacified by removing the requirement to carry I.D. at all times) Foreign Vehicles The number of foreign registered (usually European) vehicles on British roads is increasing all the time, with the increase in contacts, trade, etc, with the mainland which has occurred since the U.K. joined the EEC in 1973. When the Chunnel opens there will be even more. The U.K like most countries. is bound by the terms of the Treaties on International Road Traffic to let visitors to the U.K. drive on their roads. If the Essex Police got a MAIL message every time a car without a U.K. IFF plate drove along the A12 (a major 'E' route) then their computer systems would soon be overloaded. Simple ways are best As a final postscript on the theme of "Big Brother is watching you"; let me ask the rhetorical question: "Why use complicated methods of control when simple ones are best?". An example: all vehicles loading on to one particular ferryboat are monitored by video as they pass Passport Control. Presumably, during the crossing, a list of all license plates can be made, and telexed across to the destination port. What could be simpler than that? Why use complicated electronics when old- fashioned surveillance works just as well, if not better. Nigel Roberts ------------------------------ Date: Fri, 18 Nov 88 14:40:59 pst From: imagen!atari!apratt@ucbvax.Berkeley.EDU (Allan Pratt) Subject: Re: "Electronic number plates" Organization: Atari (US) Corporation, Sunnyvale, California I saw a segment on "Electronic number plates" on "Beyond 2000" (or "Towards 2000"), a series from Australia which actually goes into more detail than most shows... They start with the Big Picture, but they don't stop with "but now it gets so complex you couldn't possibly understand it" -- they go on to explain in some technical detail. So here's what they said: The "black box" is welded to the frame of your car, and is virtually indestructable. It has no external features. It has no power source (!). If the handshake fails, a camera snaps a picture of car, driver(?), and traditional number plate. The system they showed had 10 (?) nodes in central Hong Kong (or some other high-density Asian city). There are still a few bugs to work out of the system, which RISKS readers have been quick to point out. No power source? I guess part of the inquiry from the roadbed is energy enough for it to transmit back. Towards 2000 and Beyond 2000 are on The Discovery Channel, which cable services sometimes have as part of the basic service. Opinions expressed above do not necessarily -- Allan Pratt, Atari Corp. reflect those of Atari Corp. or anyone else. ...ames!atari!apratt ------------------------------ Date: Mon, 21 Nov 88 08:03:05 PST From: att!ihlpl!jhh@ucbvax.Berkeley.EDU Subject: Re: UK vehicle-identification systems denbeste@OAKLAND.BBN.COM writes: >I find Chaz's description of the new system in Britain for toll-roads very >interesting, to say the least. I have some interesting questions: >1. As I understood it, what we have is a radio handshake between each car and >fixed transceivers at the entrance and exit from the toll-road, presumably >connected to a computer billing system which mails you a bill each month. What >if you move and don't tell the computer your new address? The Illinois Toll Authority has already installed this automated toll collecting equipment on one exit as a trial. They are retaining the coin collection equipment, but are also supplying several large users, such as limousine services and trucking companies, who use this exit with equipment that will allow the users to be billed directly. The device can read the identification of vehicles traveling at up to 35 MPH [56 km/hr]. Since the coin collection boxes are located on a curve here, the speed limit should pose no problems. In case you are from the Chicago area, this equipment is located at the Farnsworth exit off of the East-West Tollway, I-88, formerly IL-5. Unfortunately, there was no information readily available to describe the transceiver. The Illinois Toll System does not use entry/exit tolls, but rather periodic toll barriers. This causes large backups during rush hour, as everyone has to put in their $0.40. The hope is that this system will reduce congestion, and that the expense of adding more toll booths can be avoided. John Haller jhh@ihlpl.att.com ------------------------------ End of RISKS-FORUM Digest 7.81 ************************