WIXLIB

The Risks Digest Volume 23: Issue 1of the participants in elections. The system which theGovernment intends touse next June is seriously flawed. No democracy should proceedwith a newelectoral system which opposition Parties fear may lead toelection rigging."It is essential for continuing confidence in the electoralsystem that theproposed electronic voting be changed. The Government shouldsuspend plansfor the extension of electronic voting until the reformsproposed by theLabour Party have been implemented."E-ZPass, UPS, and Newark Airport Susan Landau susan.landau@sun.com Mon, 3 Nov 2003 10:16:03 -0400[This appeared in the Metropolitan Diary section of *The NewYork Times*,3 Nov 2003. It is yet another example of what can happen whenperfectlyplausible actions are combined in unexpected ways.Fortunately this oneis humurous. Susan Landau]Dear Diary:After moving tome that Ino longer had aZPassinstructions, Iat UnitedParcel Service,Nashville from New York recently, it occurred topressing use for my E-ZPass. Following the Efilled out a few forms and dropped my pass offdestination Staten Island service center.Two weeks passed, and I received my normal E-ZPass e-mailhttp://catless.ncl.ac.uk/Risks/23.01.html (10 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1statement. Ientered my account and, lo and behold, my recently surrenderedpass had beenused by someone to go from Newark Airport to Exit 18 on the NewJerseyTurnpike.I was incensed.I immediately called E-ZPass and informed them that someone hadstolen mypass. I explained that I had mailed the pass and that nowsomeone wasrunning up and down the turnpike using it.Very calmly, the E-ZPass representative said, "Sir, your E-ZPasswas notstolen, it is in the UPS truck, and every time that truck goesthrough anE-Z Pass toll booth, it is going to register another toll."Microsoft puts a price on the heads of virus writers "NewsScan" newsscan@newsscan.com Thu, 06 Nov 2003 08:58:12 -0700Microsoft is using an old-fashioned tactic to fight new-fangledviruses -it's created a 5-million Anti-Virus Reward Program and isoffering 250,000bounties for information leading to the arrest and conviction ofthe peoplebehind last summer's Blaster worm and Sobig virus. Together,those attacksare blamed for 2 billion in losses by businesses and consumers,accordingto consulting firm Computer Economics Inc. Security experts aresplit onhttp://catless.ncl.ac.uk/Risks/23.01.html (11 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1whether the new initiative will prove successful, but Microsoftseniorsecurity strategist Philip Reitinger says, "What we hope toaccomplish is togive people an incentive to do the right thing." [*Los AngelesTimes*, 6 Nov2003; NewsScan Daily, 6 Nov y6nov06,1,4082881.story?coll la-headlines-technology[The sad part is that for 5M, MS cannot fix its deepercomputer securityproblems, so that expenditure will not solve their problems.On the otherhand, if MS spent 2B rearchitecting and reimplementing theirsoftware,think what might be done! (On the other hand, I recall theperiod in the1970s when IBM reportedly spent 40M on improving itsmainframe computersecurity. The old joke at the time was that they spent 39Mon publicrelations and 1M on travel.) PGN]Microsoft patches their patched patches (IP) Robert Bruce Thompson Mon, 03 Nov 2003 11:34:47 -0500(via Dave Farber's IP, with an addition forward from MarkLuntzel)For years, the conventional wisdom has been that one can't trustMicrosoftsoftware until version 3.0, and that apparently is true fortheir securitypatches as well.http://catless.ncl.ac.uk/Risks/23.01.html (12 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1The middle of last month, with much fanfare, Microsoft went totheir newscheme of releasing patches in batches once a month. A week orso later,they released batches of patches to those batches of patches.Now, they'rereleasing batches of patches to the batches of patches to thebatches ofpatches.For details, see: /3101901 These batches and batches of patched patched patches arecritical, sodon't ignore them. And, the way things are going, look forbatches andbatches of patched patched patched patches sometime next week.Robert Bruce Thompson thompson@ttgnet.com http://www.ttgnet.com/thisweek.html http://forums.ttgnet.com/ikonboard.cgiRemember those jokes about "if AT&T built cars?" "Daniel P.B. Smith" dpbsmith@verizon.net Sat, 01 Nov 2003 14:38:40 -0500. those humorous pieces that point out the ludicrousunusability ofcomputer user interfaces by speculating on what a car with asimilar userinterface might be like? Well, don't laugh too hard. *TheBoston Globe*auto writer Royal Ford just published an article headed: tml (13 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1electronic overload."*The Boston Globe*, 1 Nov 2003"To start the heater or air conditioning in the [a 2-year oldAcura] MDX,you start with the dashboard navigation screen, then make yourway througha series of baffling electronic menus, through climate controlandbeyond. 'It's a distraction while you're driving,' [ownerStuartSchneiderman] said. The system in the [BMW] 7 Series.remains alandmark in complexity, using a dial between the front seatsto reacheight "points" of control. Each point then controls amultilayered systemof options that many drivers have found to be like peeling anelectroniconion. the system proved so complicated that Web siteshave offered"cheats," hidden shortcuts like those used by video gamers.the LexusLS430 [has] one of the most manageable electronic. but themanual forthe system runs to 178 pages."To anyone who's ever had the window of a rental car frost up intraffic,while leaving an airport, with no place to pull over and nocompanion handyto dig out the owner's manual and locate the right button. theRISKSshould be obvious.Daniel P. B. Smith, dpbsmith@world.std.com alternate:dpbsmith@alum.mit.eduDuh! an electronic l (14 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1 Geoff Kuenning geoff@cs.hmc.edu Mon, 3 Nov 2003 23:39:07 -0800 (PST)I just finished submitting a reference letter to the HertzFoundation for astudent. This process is done through a Web form. Thefoundation requiresan electronic signature on the recommendation. The signature iscollectedby presenting the recommender with a Web page reading somethinglike this:I certify that I am the person named below:(type name in box)Even my wife, who is a musician by profession, reacted with "Oh,yeah,*that's* real secure!"I suggest that instead, the foundation should simplify my life bysimply providing a check box labeled "This recommendation isforged."Geoff Kuenninggeoff@cs.hmc.eduhttp://www.cs.hmc.edu/ geoff/Paying employees is not rocket science Paul Robinson postmaster@paul.washington.dc.us Tue, 28 Oct 2003 23:31:25 GMTWBIG radio reported Friday that there was a protest by employeesof thePrince George's County [Maryland] School District over payrollproblems.The School District has installed a new computer system andhttp://catless.ncl.ac.uk/Risks/23.01.html (15 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1apparently isunable to generate payroll checks for quite a number ofemployees includingschool bus drivers. This is also causing problems with theirhealthinsurance as well. Some of the employees report that they havenot beenpaid since the start of the school year. A School Districtspokespersonreportedly said they are working with Oracle to find where theproblem is.My own comment is that something is really strange here. I usedto dopayrolls myself, by hand. Generally you do them by computerbecause it'scheaper than using lots of clerks and because it scales better.But as thisarticle's title noted, payrolls are not some arcane subject, themethod todo them is pretty much cut and dried and has been probably sincethe 1970sor 1980s with the standard accounting rules in effect. The onlyissue isfor the number of employees that the computer system will scaleproperly.Let's presume PG county has perhaps 30,000 employees at theschool district.If it takes an average of 10 seconds - obviously more than itactually takes- to do all required calculations for each check, such as whatdeductions,what payments, and how salary is computed, then they need300,000 seconds tocalculate payroll, or roughly about 84 hours. Split this onto10 PCs and ittakes 1 day. Probably 4 hours on a mainframe.Basically the most labor intensive part of this is keeping thelaserprinters full of check stock. There's something wrong with l (16 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1here.Another victim of the d n bad-word filter! Adam Abrams adamabrams@shaw.ca Mon, 03 Nov 2003 11:04:59 -0800I tried to register as a user at collectorcartraderonline.com inorder tosave a search. Filled out everything, clicked "submit", and gotthis oddmessage: "This e-mail address has been flagged as inadmissibleand you areunable to place an ad."This could mean any number of things ranging from benign (I'dalreadyregistered and forgotten about it) to downright unsettling (I'mon somesecret government hit list). OK, maybe the second one isunlikely, but itwas still disturbing.An e-mail cleared it all up: I'm the latest victim of the "badword filter".As they put it: "The reason that you are unable to create anaccount is dueto your e-mail address containing a vulgar word that has beenflagged by ourbad word table."I had to call their toll free line to have an actual human signme up. Whileon hold, I studied my e-mail address with fresh and suspiciouseyes. It's myfull name provider, "adamabrams@shaw(dot)ca". Even before thedays ofe-mail, I'd never noticed anything even slightly vulgar about myname. Couldhttp://catless.ncl.ac.uk/Risks/23.01.html (17 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1it be "bra"? They might have me flagged as a ladies-undergarmentfetishist."rams"? Maybe the L.A. football team has had an obscenely badseason. No, itwas "dam". That's right, even misspelled bad words set off thealarm. SoI'm also being punished for other people's illiteracy.I guess the RISK is mainly that they'll lose customers due to anoverzealousdata filter that flags letter combinations that appear in manyeverydaywords.(Turns out the rep entered part of my address incorrectly, butwhen I loggedin to correct my profile, my e-mail triggered the same badlanguage flagagain! OK. I give up.)REVIEW: "High Integrity Software", John Barnes Rob Slade rslade@sprint.ca Mon, 3 Nov 2003 07:08:12 -0800BKHISTSA.RVW20030913"High Integrity Software", John Barnes, 2003, 0-321-13616-0%AJohn Barnes%CP.O. Box 520, 26 Prince Andrew Place, Don Mills, OntarioM3C 2T8%D2003%G0-321-13616-0%IAddison-Wesley Publishing Co.%O416-447-5101 fax: 416-443-0948 800-822-6339 bkexpress@aw.com%O 3.01.html (18 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue ASIN/0321136160/%Orobsladesin03-20%P430 p. CD-ROM%T"High Integrity Software: The SPARK Approach to Safety andSecurity"Once upon a time, a group set out to build a language whichwould allow youto write programs that could be formally verified. Formalanalysis andproof can be used to determine that a program will work the wayyou want itto, and not do something very weird (usually at an inopportunetime). Firstcame the attempt to build the Southampton Program AnalysisDevelopmentEnvironment (or SPADE) using a subset of the Pascal programminglanguage.When it was determined that Pascal wasn't really suitable,research wasdirected to Ada, and the SPADE Ada Kernel, or (with a littlepoetic licence)SPARK, was the result.SPARK can be considered both a subset and extension to Ada, butis best seenas a separate language in its own right. SPARK forbids languagestructuressuch as the infamous GOTO statement of Fortran and BASIC (whichcannot beformally verified). Support for some object- oriented featureshas beenincluded in SPARK, but not for aspects like polymorphism whichwould makeformal proof problematic. A great deal of the security of SPARKlies in theidea of contracts and the use of data specifications (usuallyreferred to asinterfaces) that prevent problems such as the unfortunatelyall-too-ubiquitous buffer overflow.Part one is an overview of the background and features ofhttp://catless.ncl.ac.uk/Risks/23.01.html (19 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1SPARK. Chapterone reviews some of the problems of unproven software, and themajorcomponents of SPARK. Support for the formal proof functions,such asabstraction (the elimination of details not essential to thefundamentaloperation of the concept or function) are discussed in chaptertwo. Thevarious analysis tools are listed in chapter three.Part two outlines the SPARK language itself. Chapter fourdescribes thestructure of SPARK and the lexical items it contains. Languageelements arecovered in chapters five, six, and seven, successively dealingwith the typemodel and operators, control and data flow, and packages andvisibility(local, global, etc.) which also reviews the object-orientedaspects ofSPARK. Interfacing of the various parts of SPARK, and also ofSPARK andother languages, is in chapter eight.Part three looks at the various analytical utilities in SPARKand the proofprocess. Chapter nine concentrates on the main Examiner tool. Amathematical discussion of data flow analysis, in chapter ten,is notnecessary to the operation of SPARK, but provides background andexplanation. Verification, and the instruments that support it,arereviewed in chapter eleven. Chapter twelve examines the rathervaguepractice of design, and proposes the INFORMED (INformation FlowOrientedMEthod of Design) process, although it seems to be limited tosomeadmittedly useful principles. A list of similar precepts makesup theeponymous programming "Techniques" of chapter thirteen. 1.html (20 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 1retails a number of case studies of the possible use of SPARKfor variousapplications: the simpler ones also contain source code.Both the writing in the book, and the explanations of SPARK, areclear.Formal methods of architecture and programming are not wellunderstood, andthis text does provide some justification for the exercise,although moreevidence and support would be welcome. I recommend this worknot only tothose interested in more secure applications development, butalso to thoseneeding more information about formal methods in composition andsystemarchitecture.copyright Robert M. Slade, chrev/mnbksc.htm sun.soci.niu.edu/ rslade/secgloss.htmReport problems with the web pages to the l (21 of 21)2005-04-15 12:18:07

The Risks Digest Volume 23: Issue 2Forum on Risks to the Public in Computers and Related SystemsACM Committee on Computers and Public Policy, Peter G. Neumann, moderatorVolume 23: Issue 2Weds 12 November 2003ContentsEurofighter Typhoon brake faultPeter B. LadkinComputers in cars: "When you add complexity you add risks"NewsScanMail-order price-listing typo cost company over 2 millionChiaki IshikawaNew election to be held due to technical glitchKim AlexanderVanishing votes; wireless security expertsRebecca MercuriFairfax County electronic voting: the saga continuesJeremy EpsteinThwarted Linux backdoorDouglas W. JonesTalk of wiretaps rattles HollywoodBernard Weinraub via Monty SolomonUpdate: Fun with stolen credit-card numbersJonathan KamensRe: SPARK Ada in "High Integrity Software"Peter B. Ladkinhttp://catless.ncl.ac.uk/Risks/23.02.html (1 of 22)2005-04-15 12:18:16

The Risks Digest Volume 23: Issue 2Re: goto in Slade's review of "High Integrity Software"Martin Cohen Andrew DalkeMarcus Ranum: The Myth of Homeland SecurityPGNREVIEW: "The GSEC Prep Guide", Mike ChappleRob SladeInfo on RISKS (comp.risks)Eurofighter Typhoon brake fault "Peter B. Ladkin" ladkin@rvs.uni-bielefeld.de Wed, 12 Nov 2003 10:08:58 0100*Flight International* reported a braking problem occurring on aEurofighterTyphoon aircraft on 9 Oct 2003 that led to the suspension of allflights(*Flight International*, 21-27 October 2003, p4, article byJulian Moxon). Acockpit warning light came on during landing, the pilot deployedthe brakingparachute, but the brakes could be used to bring the aircraft toa halt.The furlough lasted three weeks, and the aircraft were to returnto flightoperations last week. Apparently 15 days have been lost from theflight testprogram. The braking problem centered on a faulty microchip inthe landinggear computer (*Flight International*, 4-10 Nov 2003, p6).Peter B. Ladkin, University of Bielefeld, ss.ncl.ac.uk/Risks/23.02.html (2 of 22)2005-04-15 12:18:16

The Risks Digest Volume 23: Issue 2Computers in cars: "When you add complexity you add risks" "NewsScan" newsscan@newsscan.com Wed, 12 Nov 2003 07:35:15 -0700The computer systems in today's luxury cars are wonderful whenthey workright, but not so wonderful when something goes wrong. DonaldBuffamanti ofAutoSpies.com (self-described as "the ultimate insider guide tothe world'sbest automobiles") says of one automaker's cars: "People havereported totalelectronic shutdowns to us attributed to the network in the 7series." Oneluxury car owner, whose onboard computer gave monitoringinformation thatsent him off to the service station every few days to check histirepressure, complains: "Why does it have a computer that reads theproblems ifthey can't fix them?" Responding to complaints such as these, aBMWexecutive says: "There is a not-uncommon shakedown period of oneto twoyears with technology this new," and a Honda executive admits:"When you'readding complexity, you are adding risks." The BMW exec adds:"The good newsis that if it's working right after four years,

voting until the e-voting system has been changed. The call was made today (Monday) by the Labour Party Spokesperson on Local Government and the Environment, Eamon Gilmore TD, at a Press Conference to launch a study of electronic voting system which was commissioned by the Labour Party. The report was prepared by two Labour Party members, Shane