RISKS-LIST: RISKS-FORUM Digest Monday 14 August 1989 Volume 9 : Issue 9 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: California to escrow electronic vote counting software (Rodney Hoffman) Voters Left off Electoral Roll (Rohan Allan Baxter) Beeperless remote answering machine risks (Peter Scott) Computerized Houses (Jake Livni) Automated Driving (Ian Gent) Marijuana Virus wreaks havoc in Australian Defence Department (J. Holley) Universal Trapdoors (Vin McLellan) Computer Problems at Saratoga Racetrack (Rodney Hoffman, Dave Fiske) RISKS summer reruns? (Daniel F. Fisher, Jim Horning) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j, ftp KL.sri.com[CR]login anonymous (ANY NONNULL PASSWORD)[CR] get stripe:risks-i.j ... (OR TRY cd stripe:[CR]get risks-i.j Vol summaries (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99),(8.88). ---------------------------------------------------------------------- Date: 14 Aug 89 08:02:12 PDT (Monday) From: Rodney Hoffman Subject: California to escrow electronic vote counting software Edited excerpts from an article by William Trombley in the 'Los Angeles Times' 14-Aug-89: A new law which takes effect Jan. 1, 1990, requires California counties to place the source code of their vote-counting computer programs in escrow so they can be checked by independent experts in case of disputed results. The law is a partial response to increasing criticism that electronic vote tabulation sometimes is inaccurate and is vulnerable to tampering because of lax security. The California secretary of state will approve escrow facilities and will determine what material should be placed in escrow and under what circumstances the source codes should be made accessible to investigators. The escrow plan also allows election officials access to the codes should the companies that produce the software go out of business or stop selling that particular product, as has happened in several states. California's new law coincides with efforts by the National Clearinghouse for Election Administration, an arm of the Federal Election Commission, to produce voluntary state standards for computerized elections. The federal standards, published in the Federal Register last week, also call for putting source codes in escrow. So far, Texas, New York and a few other states have laws similar to California's. Reactions to the new law vary: Tom Diebold, president of DFM Associates, one election system vendor: "The problem with escrow is that it makes it easier for someone who wants to manipulate an election to get their hands on the source code." Lester Jaspovice, V.P. and corporate counsel for Sequoia Pacific Systems, another vendor: "My company doesn't like it, but, as an attorney, I think it's a good idea. It provides a virgin copy of the code that the court can call on in case of a dispute." Howard Strauss, Princeton University computer scientist and member of Election Watch: If the source code in escrow differs from the one used to count votes, "then you know something's wrong. But if they're the same, it doesn't tell you anything because they could both contain the same mistakes." Strauss also doubted that the law would protect against a company going out of business or losing its top scientific talent. "The idea is that these escrow facilities will have technical people who can read this stuff, but some of it is so badly written that, even after months of work, you wouldn't know what it was all about." Crew Deer, V.P. of Data Securities International, a computer software escrow company: "If the code has a bug in it, it will show up on both the original and the copy, but that's good because you at least know it's a technical problem and nobody has been tampering." According to Deer, the escrow fees for vote-counting source code might be about $1500 plus $1000/year after that. If a result is challenged and a detailed verification process is carried out, the cost could be as much as $30,000. Several critics said the new law does nothing to correct what they consider to be the major flaw in computerized elections -- the presence of poorly trained, underpaid election workers who do not understand the computerized equipment they are using to count votes. [For the record, on July 2, 3, and 4, the 'Los Angeles Times' ran a very lengthy series by William Trombley on computers and vote counting. Nothing new, but a fair summary of past troubles, present systems, and suggested changes. It includes quotes from many election officials, computer scientists, and statisticians. Among those cited are RISKS contributors Gary Chapman and Marc Rotenberg of Computer Professionals for Social Responsibility, Lance Hoffman of George Washington University, Willis Ware of RAND, and RISKS moderator Peter Neumann. (See RISKS 7.52 and 7.70 for references to past reports on the subject.)] ------------------------------ Date: Thu, 10 Aug 89 08:21:34 EST From: rohan@bruce.cs.monash.OZ.AU (Rohan Allan Baxter) Subject: Voters Left off Electoral Roll More than 6000 voters were unable to vote in local government elections in Victoria on Saturday, August 5th, because of a computer error made by the Australian Electoral Commission. Newly enrolled voters and those who had changed municipalities had their names left of the updated electoral rolls. The error was made five months ago, but was detected less than 24 hours before the opening of the polling booths. A full internal inquiry has been ordered into why the error was detected so late, as well as its original cause. Legal opinion indicate the elections are not invalidated by the error, although legal challenges are expected from narrowly losing candidates. One bitter voter affected by the error noted that voting in the elections was compulsory - a bitter irony for those left of the rolls. ------------------------------ Date: Sat, 5 Aug 89 14:28:03 PST From: Peter Scott Subject: Beeperless remote answering machine risks My answering machine is one that allows me to call in from a push-button phone and signal it to play back my messages with a 2-digit code. In addition, there are single-digit codes that reset the machine, go forwards, backwards, change the outgoing message, etc. I just called in to get my messages; there was one. Just before the caller hung up they accidentally bumped some keys on their phone, resulting in some digit tones being recorded on their message. I heard this and waited for the machine to beep to tell me it had finished playback. Instead, it played the message again... and again... Apparently it was taking input from the message tape as valid, and one of the buttons the caller pressed was the "backwards" command. I suppose if I were getting the message off the machine at home this wouldn't happen, because it would not be in remote mode. This has some interesting consequences for the unscrupulous callers and unwary callees. Peter Scott (pjs@grouch.jpl.nasa.gov) ------------------------------ Date: Mon 14 Aug 89 18:57:48-EDT From: Jake Livni Subject: Computerized Houses "The New Homes Are Getting Smarter" "Cued by computers, they run themselves" by Mark McCain (Excerpted from the Real Estate Section of the New York Times, August 13, 1989) Although electronic brains these days control televisions and telephones, offices and automobiles, the average house is still a mindless creature, bumbling along without any effort to make itself more safe [!!!], or economical, comfortable or convenient. For many houseowners, that's fine. The thought of a house smart enough to take matters into its own hands is absurd - even threatening. Who's to say it wouldn't fire up the oven after midnight just on a lark? But new houses are improving their IQs. After many years of futuristic talk without much follow-through, builders are beginning to install automated systems that act like all-knowing butlers. Not surprisingly, the systems are most popular in expensive houses, where budgets are big and rooms so numerous that even turning off lights at bedtime can be burdensome. [...] "When my 3-year-old boy comes out of his room at night, a motion detector turns on the hallway light for him," says Robert Pomeranz, a banking executive who lives in a new 7,500-square-foot house outside Washington. "Obviously, it's not worth buying an integrated control system for small things like that, but it's amazing how useful the system can be as you become comfortable with it." Like humans, the systems aren't perfect. A light may turn on for no apparent reason or a front door may refuse to open for it's master. [That sounds nice in an emergency...] "The houses we're building today have interiors right out of the space age, even though their exterior appearances are traditional," said Kenneth Nadler, an architect in Mount Kisco, NY, who designs expensive houses. "It's Jetson on the inside and Gatsby on the outside." For a homeowner eager to outdo even George Jetson, the futuristic TV cartoon character, there's a $26,000 whirlpool that accepts calls - say, from a car phone - to start water running at bath-perfect temperature. Too expensive? For less than $1,500, there's a fireplace with a gas flame adjustable from glowing to roaring by infrared remote control. [Could Audi 5000's order up a bath by themselves? :-) ] But even aficionados have their limits. "I'm afraid of those things," said Joel Sommer, a Maryland builder who infuses his multi-million-dollar houses with high technology. "What whould happen if the whirlpool didn't shut off automatically or gas started flowing in the fireplace without an ignition spark? I just don't see the benefit of some products." Certainly, automated devices built into houses today do not always make practical sense. It is a situation reminiscent of the home-computer craze in the early 1980's, when companies promoted computers for such uses as storing recipes, even though ingredients that only soil a cookbook page might easily destroy a kitchen keyboard. Today home computers are common, but not for recipes or checkbook balancing or other uses suggested by early promoters. "In similar fashion, I'm sure we'll find a great many applications for home automation that people haven't thought of yet or haven't predicted to be big winners," said Roger Dooley, editor of Electronic Home, a trade magazine published in Mishawka, Ind. "And what's being touted today as big benefits may end up being used by only a few homeowners." [...] "I live alone in a 10,000-square-foot house with only my housekeeper, so I need to feel really secure, and what I've installed is state-of-the-art," said [... someone who has such a system. She also ...] has a sensor in each room to control the temperature, and only once have things gone awry. "During a storm with heavy lightning the sensor in the living room got stuck at 95 degrees," she said. "So the air-conditioning system kept trying to cool the room. It felt like a meat locker." [...] Beyond that, there's the gee-whiz appeal, like a synthesized voice in the kitchen that anounces when a letter carrier has delivered the mail. [...] "You don't have to install an integrated control system," said Mr. Sommer, the developer, who is completing an 11,000-square-foot house with such a system. "I happen to enjoy them because my background is in computer science. But really, they're toys." [discussion of business aspects of marketing these systems...] One futuristic idea now becoming more practical is voice control. Already, voice-recognition devices that allow a computer to understand a vocabulary of about 75 words are available for less than $500. As those devices become more powerful and less expensive, they will be an option for controlling home automation. "You'll be able to just walk up and talk to it," explained David MacFadyen, an industry expert. "When you say, 'Good night, house,' the temperature controls will be set back in unoccupied areas, the hot-water heater will be set back, the phone will go on voice-mail. Just a couple of words will trigger an evening shutdown sequence that is far more elaborate than anything we can think of now. ["Good night, RISKS" ... --> EXIT, SEND, QUIT, LOGOUT] Jake Livni ------------------------------ Date: Mon, 14 Aug 89 14:48:31 +0100 From: Ian Gent Subject: Automated Driving A documentary on UK's Channel 4, 13 Aug 1989, was about traffic problems, especially congestion in cities. After concluding that there was no obvious and fair solution, the programme suggested that the best hope lay in more automation in cars. What's more, the programme implied that machines driving cars would be feasible in the medium term (next decade or two). For instance, shots were shown of a human driven automobile in which experimenters were recording data about close vehicles, etc. Apparently, and I paraphrase the commentator, although the researchers were only recording data, there's no reason in principle why the information should not be fed into control computers. The clear implication was that this would be much safer than letting humans drive. Also, with automatically or semi-automatically driven, it would be possible for my vehicle to refuse to let me drive into a city centre if the centre was too busy. The risks are obvious and horrific, but what is even more depressing is that experts in other fields just do not see the risks, and that TV researchers do not even think to ask anybody who might know about these risks. Ian Gent, University of Warwick, Coventry, UK ------------------------------ Date: Mon, 14 Aug 89 10:18:16 NZS From: J.Holley@MASSEY.AC.NZ Subject: Marijuana Virus wreaks havoc in Australian Defence Department Quoted from The Dominion, Monday August 14 : A computer virus call marijuana has wreaked havoc in the Australian Defence Department and New Zealand is getting the blame. Data in a sensitive security area in Canberra was destroyed and when officers tried to use their terminals a message appeared : "Your PC is stoned - Legalise marijuana". Viruses are [guff on viruses] The New Zealand spawned marijunana has managed to spread itself widely throughout the region. Its presence in Australia has been known for the past two months. The problem was highlighted two weeks ago when a Mellbourne man was charged with computer trespass and attempted criminal damage for allegedly loading it into a computer at the Swinbourne Institute of Technology. The virus invaded the Defence Department earlier this month - hitting a security division repsonsible for the prevention of computer viruses. A director in the information systems division, Geoff Walker said an investigation was under way and the infection was possibly an embarrassing accident arising from virus prevention activities. New personal computers installed in the section gobbled data from their hard disk, then disabled them. Initially it was believed the virus was intoduced by a subcontractor installing the new computer system but that possibility has been ruled out. One more outlandish theory suggested New Zealnd, piqued at its exclusion from Kangaroo 89 military exercises under way in northern Australia, was showing its ability to infiltrate the Canberra citadel. New Zealand was not invited to take part in Kangaroo because of United States' policy of not taking part in exercises with New Zealand forces since Labour's antinuclear legislation. However, New Zealand observers were invited. New Zealand Defence Department spokesmand Lieutenant Colonel Peter Fry categorically denied the claim. "It would be totally irresponsible to do this kind of thing." In fact, New Zealand's Defence Department already had problems with the virus, he said. ------------------------------ Date: Sat, 5 Aug 89 22:06 EDT From: McLellan.Catwalk@DOCKMASTER.NCSC.MIL Subject: Universal Trapdoors If most large-system sites have user-installed trapdoors... If techies and technical management install these trapdoors to evade the access control tables because they are convinced these subsystems are 1) too often mismanaged, 2) too easily corrupted, 3) too cumbersome in an emergency, or 4) too prone to technical failure... Then -- so long as this huge community of unbelievers remains unwilling to submit to the control of the access control system -- we _will_ have users installing trapdoors for an alternative path to high-priviledged status, despite the obvious risks. If 15 years of unrelenting propaganda by the vendors and gurus have left the users so unwilling to follow the prescribed path of righteousness, maybe someone other than the users should reconsider. As it is, user-installed trapdoors are almost universal on big systems, but because they are illicit, "secret," they are seldom protected by anything more than their obscurity. What is so wrong about giving the users a safe model for what they demand -- a route around the access control system -- when just they take it anyway, security be damned? Who is being more unrealistic: the system programmers who code these traps, or the security specialists who ignore the fact that virtually all systems have trapdoors? Aren't we talking about trusting people who are already virtually all-powerful in their environment? Why can't we use an alternative security device to secure this alternative access path? Encryption seems a likely padlock. With a mix of synch and asynch crypto, it seems possible to set up a "one-time key" access, supported by user authentication, separation of function, audit trails. Heck, add an audible alarm. Even without the PKE frills, simple encryption can put a lock on what is otherwise an open gate hidden in the thickets. Continuing the masquerade, ignoring the existence of the problem, gets us Nowhere. For twenty years people have been showing me trapdoors into systems. Now, I'm shown or told of trapdoors that open whole networks (recently, one which popped a net of control systems for a major phone company, installed by management.) Now, I chat with hackers who give tutorials on how to locate user-installed trapdoors. One "specialist" recently told me that it seldom takes him more than 20 minutes to identify such a trapdoor in a typical corporate MVS system. The auditors are not the only ones, nor likely the most challenging foe, these users have to outsmart. Vin McLellan The Privacy Guild (voice/fax: 617-426-2487) Boston, Ma. 02111 ------------------------------ Date: 4 Aug 89 07:23:56 PDT (Friday) From: Rodney Hoffman Subject: Computer Problems at Saratoga Racetrack From wire service stories in the 'Los Angeles Times' August 3 and 4, 1989: Computer problems frustrated a record opening-day crowd at New York's Saratoga Race Track on Wednesday, and track officials said Thursday's card might be canceled if the problem was not fixed by Thursday morning. Bettors were kept in the dark about the odds, payoffs, and even the time of day. "There's some sort of gremlin running around that software, and we can't find it," said Gerard McKeon, president of the New York Racing Assn on Wednesday. ... The computer problem extended Wendesday's nine-race card by an hour and cost NYRA about $1.5 million in handle, McKeon said. Pari-mutuel machines and the track's tote boards were also affected by the problem. Technicians worked through the night to replace the software, and things were apparently back to normal on Thursday. ------------------------------ Date: 3 Aug 89 21:35:32 GMT From: davef@brspyr1.brs.com (Dave Fiske) Subject: Computer Breakdown Thwarts Saratoga Bettors Here's a first-hand account of an item for RISKS, since I was there on Wednesday. August 3, 1989, Latham, NY Yesterday was opening day for thoroughbred racing at the Saratoga Race Course in Saratoga Springs, New York. It was a computer disaster. The beginning of the 122nd season was ruined by computer problems which forestalled the placement of wagers for Races 5 through 9 of the 9-race program. The New York Racing Association, which operates Saratoga and the other racing facilities in New York, is estimating a loss of $1.5 million in on-track, and $2 million in off-track handle. The loss in good will is not measurable--parimutuel systems are dependent on their accuracy and reliability for continued patronage--chances are most fans will be forgiving and come back. Provided, that is, that the system gets straightened out. This is by no means certain. Racing officials announced yesterday that they had no idea what had caused the computer system to crash, and for fans to listen for a 9 AM announcement this morning before heading for the track. This morning, NYRA announced that they intend to offer wagering today, that they believe they have found the software problem and corrected it, and that they are "80%" sure the system will work correctly once betting begins today. Like most tracks, betting information is displayed both on Tote Boards (light-bulb displays) and on computer-generated video screens. Both types of displays were affected by the problem(s)--at one point, I observed that odds displayed on the two types differed. (Presumably one was being updated from the computer, and the other not. However, regardless of which was correct, some fans were being provided with inaccurate information.) Though the displays worked on and off from the 5th race on, the betting machines did not function at all. The machines are of two types--terminals which are located at the regular betting windows, and which are operated by track employees; and so-called "SAMs", which employ touchie-feelie screens so that bettors can place their own wagers. The self-service machines allow a bettor to insert a winning ticket or a cash voucher. Under ordinary circumstances, the value of the ticket or voucher is read and then displayed on the screen. At the beginning of the computer outage, machines were displaying incorrect values for tickets, or simply eating tickets or vouchers. Bettors who had encountered problems at the betting windows at least had a human clerk to complain to--those using the SAMs had to stand around wondering what to do. Post times for races were delayed in hopes that the computers could be made to operate, but to no avail. The final race took place nearly an hour later than usual--and only those few who had made advance wagers early in the day had any money riding. Because the system handles both bets and payoffs, automated calculation of prices for winning horses was also pretty much incapacitated. People holding winning tickets (even from previous races) were not able to cash them. Technicians worked overnight, having flown up from Autotote in Delaware, and apparently fixed some software problems, but officials still are not certain of what happened exactly. Today, Thursday, the system seemed to operate properly. The normal $2 admission fee was waived, as a gesture to yesterday's disappointed fans. However, given that officials were uncertain this morning that it would hold up, the system's performance may have been more luck than anything else. Other than having diagnosed the problem as a software, rather than a hardware, one, officials are offering no explanation as to what the problem was. However, as an outsider, one could focus on the following factors: When the season at Saratoga starts each year, most of the equipment used is moved up from Belmont Park, near New York City. The move, which includes starting gates, etc., as well as the computers, betting machines, and TV monitors, takes place in the timespan from the last race at Belmont on Monday to the first race at Saratoga on Wednesday. Assuming that no hardware damage occurred in transit, this allows very little time for testing, since some of those 30-40 hours are taken up by travel time and installation. Though officials say that software changes are made nearly every week, a number of changes--some in effect only for the Saratoga meet--were made in the betting rules. For example, Triple betting is now offered in the 8th as well as the 9th race; the number of horses required to be entered in races offering certain exotic wagers was lowered; and for two racing days only, when important stakes races are run, exacta wagering will be allowed for all races, regardless of the number of horses entered. My guess is that more--and more sophisticated--software changes were made than normally, and that, with limited time to test a system which was asked to handle wagers from 30,000 people yesterday, some bug went undetected until triggered yesterday. It will be interesting to find out what backup setup NYRA utilizes. Officials mentioned today that, if the system broke down today, that hopefully their backup systems would not fail, so that they could determine what went wrong. This leads me to believe that there was a secondary failure of some type yesterday, such that the planned backup process did not work. ------------------------------ Date: Fri, 4 Aug 89 22:32:43 EDT From: dff@Morgan.COM (Daniel F. Fisher) Subject: RISKS summer reruns? During the present slow-down in RISKS, I was particularly happy when, this evening, my netnews reader presented me with an `unread' RISKS digest. It was not until I was half way through it that I realized it was one I had already seen. In fact it was RISKS 8.81 from 17 June 1989. Was this a local phenomenon, or has the Network, not wishing to RISK lower ratings, started airing Summer Reruns? Just curious, Daniel F. Fisher, Morgan Stanley & Co. Inc. ------------------------------ From: horning@src.dec.com (Jim Horning) Date: 2 Aug 1989 1828-PDT (Wednesday) Subject: For your amusement [ RISKS summer reruns? ] Here's the Path: on the copy of RISKS 8.81 that just arrived! Path: jumbo!decwrl!purdue!mailrus!csd4.milw.wisc.edu!leah!rpi!batcomputer !cornell!rochester!rit!tropix!moscom!ur-valhalla!uhura.cc.rochester.edu !sunybcs!rutgers!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!KL.SRI.COM!RISKS ------------------------------ End of RISKS-FORUM Digest 9.9 ************************