RISKS@SRI-CSL.ARPA (RISKS FORUM, Peter G. Neumann, Coordinator) (02/26/86)
RISKS-LIST: RISKS-FORUM Digest, Tuesday, 25 Feb 1986 Volume 2 : Issue 16
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Volunteers to study security of computerized voting booths? (Kurt Hyde)
Our Economy Is Based On Electricity (Jared M. Spool)
Misdirected modems (Jared M. Spool)
The Titanic Effect (Earl Boebert)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
(Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.)
(Back issues Vol i Issue j stored in SRI-CSL:<RISKS>RISKS-i.j. Vol 1: MAXj=45)
----------------------------------------------------------------------
Date: Tuesday, 25 Feb 1986 04:45:16-PST
From: hyde%topcat.DEC@decwrl.DEC.COM (Kurt Hyde DTN 264-7759 MKO1-2/E02)
To: risks@sri-csl.ARPA, self%topcat.DEC@decwrl.DEC.COM
Subject: volunteers to study security of computerized voting booths?
How secure are computerized voting booths?
I teach Systems Analysis at a local college here in Nashua, NH. For the
last two years, my students and I have been studying the impact of
computerization on voting security. The recent charges of fraud in Mexican
and Phillipine elections increase the importance of such studies as
computers are now being implemented into three areas of voting --
maintaining voter registration lists, tallying of votes, and directly
computerized voting.
Last year's class discovered that an OEM was manufacturing a computerized
voting booth. Further research has revealed that the company's strategy for
ensuring security is secrecy of operation. Secrecy of operation increases
the difficultly in penetration, but it also has a negative side effect of
making it difficult (if not impossible) to detect tampering.
There are many documented cases of accidental miscalculation in computerized
vote tallying equipment. The reasons why such errors were discovered is
because reconstruction and recount was possible. Investigators
reconstructed by gathering the machine-readable ballots. They were then
able to recount by machine or by hand. Such reconstruction is impossible
with the current state of the art in computerized voting booths because no
physical ballots are created. Recounts in such cases are wholly dependent
upon the software to have stored each vote in its proper storage location at
the time of voting.
As far as I can tell, no computerized voting booth has ever been subjected
to product testing by hackers. I discussed this with the chief engineer at
the first company to make computerized voting booths. He agreed with me in
a phone conversation that such testing would be nice and that he was open to
the idea. However, the only way to get something done in this area is for
concerned citizens to try it. There are now at least three companies either
making or planning to make computerized voting booths and, according to the
FEC, they all intend to rely on secrecy of operation for security. Oddly,
none of the companies have named their flagship products "The Titanic".
Do you think these people have developed perfect, unbreakable codes? Some
associates of mine and I think not. In fact, we have begun to formulate
some testing strategies. I've done a lot of work myself, but I now need
some expertise in the areas of cryptography, decompiling programs, and
MS-DOS on IBM PC.
Perhaps we can avoid having a Marcos-Aquino style problem here in America.
Kurt
------------------------------
Date: Tue, 25 Feb 86 11:47 EST
From: Jared M. Spool <Spool@SCRC-STONY-BROOK.ARPA>
Subject: Our Economy Is Based On Electricity
To: risks@SRI-CSL.ARPA
Last week, on payday, I was informed from our efficient payroll department
that my bank account would not be credited with my automatic deposit of my
paycheck for a couple of days. The reason that was given was a "Power
Blackout In The LA area". (Our payroll is handled out of our LA office,
while R&D is on the east coast. I don't know the reason for this
polarization. I think it has to do with opposites repelling or something.)
A lot of our economy is based on things that use electricity. While battery
backups are not uncommon in computer systems, what percentage can withstand
a 24 hour blackout? How about 48 hours?
If NY were hit with a 48 hour blackout, what would happen to the NYSE?
I realize that there are lots of social things that happen during blackouts
(like rioting and baby booms), but these things tend to be localized to the
area of the outage. But, as I stated above, I need a cross country
connection to get paid. How much of our economy would be downed because of
something like this?
------------------------------
Date: Tue, 25 Feb 86 11:31 EST
From: Jared M. Spool <Spool@SCRC-STONY-BROOK.ARPA>
Subject: Misdirected modems
To: RISKS FORUM <RISKS@SRI-CSL.ARPA>
From: Alan Silverstein <hp-sdd!hpfcla!ajs@nosc.ARPA>
Date: Mon, 24 Feb 86 11:12:54 pst
Subject: misdirected modems
Twice recently, computers at our company (Hewlett-Packard) have been the
embarrassing causes of telephonic annoyance. Phone numbers entered
incorrectly in uucp L.sys files, due to typos or misunderstandings, have
led to systems repeatedly calling private telephones in Fort Collins.
[...]
I bet this happens a lot more than anyone realizes or admits.
I'll admit it. Four jobs ago, I worked at (what was then a startup) as
one of two developers on a electronic mail package using regular phone
lines as the network. We used to test the product, over night, by
having the five test machines try to send and receive 100-200 messages
(per machine) over the five phone lines. (We did this in batches of 20
messages.) The tests were set to start anywhere from 11:00 p.m. to 3:00
a.m. and could go 2-3 hours in length depending on how we set them up.
Different machines would have different starting and length times.
The product worked, such that if the phone was busy or didn't answer,
(the modem couldn't detect the difference,) it would try again after a
certain delay (approx 15-20 minutes) until it failed 10 times. The test
was set up that each batch would generate only one phone call.
One morning, after running such a test, I noticed that, on one of the
machines, all of the batches set to go to a second machine didn't make
it, while all of the batches for the other three machines did. On
further investigation, I determined that the phone number for the second
machine was incorrectly typed into the sending machines database. It
turned out to be a residence, and an apology was made. We double
checked our test sets before starting them, after that.
In conclusion, it is very easy, with today's technology to do such a
thing. Modem technology has even progressed that the modems themselves
redial the numbers until a connection is made, with no regard to the
fact that there will never be a machine on the other end.
We have always had wrong numbers. However, when a human dials a wrong
number, there is (almost) immediate confirmation that the number is wrong,
and a second or third or tenth retry is not attempted to the same number.
Maybe what we need is a touch tone code (or something) that one can
enter into a modem that says "The number you have is wrong, go away."
------------------------------
Date: Tue, 25 Feb 86 18:21 CST
From: Boebert@HI-MULTICS.ARPA
Subject: The Titanic Effect
cc: risks@SRI-CSL.ARPA
This rule is, I believe, actually an instance of the 28th Axiom of
Systemantics: "When A Fail-Safe System Fails, It Fails by Failing to Fail
Safe." All 32 Axioms, the Four Basic Postulates, and Corollaries can be
found in the delightful _Systemantics_ by John Gall (Quadrangle/NYT Books,
1977, ISBN 0-8129-0674-8), which deserves to be better known.
Earl
------------------------------
End of RISKS-FORUM Digest
************************
-------