risks-info July 2011 archive
Main Archive Page > Month Archives  > risks-info archives
risks-info: [RISKS] Risks Digest 26.50

[RISKS] Risks Digest 26.50

From: RISKS List Owner <risko_at_nospam>
Date: Tue Jul 26 2011 - 20:28:19 GMT
To: risks-resend@csl.sri.com

RISKS-LIST: Risks-Forum Digest Tuesday 26 July 2011 Volume 26 : Issue 50

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

National Popular Vote -- Needs Governor Brown's Veto (Rebecca Mercuri)
New Court Filing Reveals How the 2004 Ohio Presidential Election Was Hacked
  (Bob Fitrakis via Monty Solomon)
Software Designer Reports Error in Anthony Trial (Lizette Alvarez via PGN)
Computer problems may trump debt ceiling (Mark Thorson)
The British Phone Hacking Scandal (Peter Bernard Ladkin)
Indian government uses Hotmail! (Ashish Gehani)
Skype Vulnerability (Gene Wirchenko)
Booz Allen systems breached (Jason Ukman via PGN)
Do Not Track Not Being Followed (Grant Gross via Gene Wirchenko)
Man gets 18-year sentence for harassing neighbor through Wi-Fi (Mark Thorson)
Let's hope their code stays closed! (jidanni)
Decoupling Civil Timekeeping from Earth Rotation? (Rob Seaman)
Abridged info on RISKS (comp.risks)


Date: Sun, 17 Jul 2011 16:46:19 -0400
From: RTMercuri <notable@mindspring.com>
Subject: National Popular Vote -- Needs Governor Brown's Veto

Please take action in informing Governor Brown why AB 459 must be
vetoed. We stopped this in 2006. It needs to be stopped again! RM.

  [This was apparently presented to the Governor at 1:30pm PDT on 25 Jul. PGN]

Rebecca Mercuri, National Popular Vote Returns to California, 17 Jul 2011

Back in 2006, the National Popular Vote (NPV) Proposal was thoughtfully
vetoed in California when its incarnation (as AB 2948) crossed Governor
Schwarzenegger's desk. Unfortunately, this legislative whack-a-mole has
returned again to the Eureka state, this time in the form of AB 459, now
awaiting signing by Governor Jerry Brown. This passage would inch the likely
unconstitutional movement ever closer to the 270 electoral votes necessary
to activate its bogus plan.

For those who are unaware of the dangers of NPV, essentially it will require
pooling of the popular votes for U.S. Presidential candidates, among the
states that have enacted the bill, requiring that all of these states
collectively cast their electoral votes for the singular popular vote winner
of the pool. In other words, the popular vote winner in each individual
state will be entirely IGNORED, if the pooled votes' result is not the same.

An early proponent behind the NPV movement was well-known Presidential
election "spoiler" John B. Anderson. Anderson is also an outspoken supporter
of Instant Runoff Voting (IRV), another tabulation method that disregards
the "first choices" of voters in favor of an aggregated result. Touted as a
way to "level the playing field" between the states, NPV supporters use
fuzzy math claims in order to reject other more plausible and fair schemes
(such as dividing the electors within each state as to their proportion of
the different candidate votes) that do not require "winner-take-all" or
interstate pooling methodologies. One need only recall the fuzzy math that
Hillary Clinton's camp used in attempting to exclude caucus states from the
national popular vote in the 2008 Democratic primary, in order to gauge the
level of shenanigans that are likely to occur once an enormous block of
electoral votes comes into play.

As I (and others) had earlier informed Governor Schwarzenegger "Already, the
westernmost states have less of a say in the Presidential elections due to
early disclosures of vote totals and polling data from the states in earlier
time zones. This bill further reduces the impact or even necessity of
Californians in the decision process. Even more dangerously, states that
have inadequate or inferior election equipment or auditing processes may
adversely influence the vote totals, such that an incorrect popular vote
could be used to determine California's electors." All of this is still true
with the current version of the bill.

Your help is URGENTLY needed now in informing Governor Brown why AB 459 must
NOT become law. The contact information is: Governor Jerry Brown, c/o State
Capitol, Suite 1173, Sacramento, CA 95814; Phone: (916) 445-2841; Fax: (916)

Rebecca Mercuri, Ph.D.


Date: Tue, 26 Jul 2011 10:47:56 -0400
From: Monty Solomon <monty@roscom.com>
Subject: New Court Filing Reveals How the 2004 Ohio Presidential Election
  Was Hacked

Bob Fitrakis, *The Free Press*, 20 Jul 2011

A new filing in the King Lincoln Bronzeville v. Blackwell case includes a
copy of the Ohio Secretary of State election production system configuration
that was in use in Ohio's 2004 presidential election when there was a sudden
and unexpected shift in votes for George W. Bush.

The filing also includes the revealing deposition of the late Michael
Connell. Connell served as the IT guru for the Bush family and Karl
Rove. Connell ran the private IT firm GovTech that created the controversial
system that transferred Ohio's vote count late on election night 2004 to a
partisan Republican server site in Chattanooga, Tennessee owned by
SmarTech. That is when the vote shift happened, not predicted by the exit
polls, that led to Bush's unexpected victory. Connell died a month and a
half after giving this deposition in a suspicious small plane crash.

Additionally, the filing contains the contract signed between then-Ohio
Secretary of State J. Kenneth Blackwell and Connell's company, GovTech
Solutions. Also included that contract a graphic architectural map of the
Secretary of State's election night server layout system. ...



Date: Mon, 25 Jul 2011 19:03:51 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Software Designer Reports Error in Anthony Trial (Lizette Alvarez)

Lizette Alvarez, *The New York Times* nat'l edition, A14, 19 Jul 2011 [PGN-ed]

In the Casey Anthony trial, the prosecution repeatedly emphasized that the
defendant had conducted 84 searches on the word `chloroform'. However, John
Bradley (who created the CacheBack software that could have been used by the
prosecution to validate their use of the number 84) had declared during the
trial that the software actually came up with the number 1: only one such
search -- through Google, which then led to a website which was itself
searched only once. Bradley reported that finding to the court, but it was
never presented to the jury and the record never corrected. Apparently, the
prosecution never attempted to verify their number, using that software 84.


Date: Thu, 7 Jul 2011 22:15:50 -0700
From: Mark Thorson <eee@sonic.net>
Subject: Computer problems may trump debt ceiling

According to this article, the difficulty of reprogramming the computers at
the Treasury department may prevent that department from obeying the debt
ceiling, even if Congress doesn't raise it.


The risk is having a system designed under the assumption that the debt
ceiling will always be raised, compounded by the risk of having an incentive
against implementing the flexibility needed to accommodate the ceiling not
being raised. Or maybe the risk is having Congressmen who believe there
really is a debt ceiling.


Date: Fri, 22 Jul 2011 08:08:45 +0200
From: Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Subject: The British Phone Hacking Scandal

I have been following the scandal closely, because of what it says or does
not say about modern Britain.

Everyone notes wryly the French "corporate state" being run by ENiAcs, but
few people have noted how Britain has reverted to being run by Oxbridge
graduates - this time, indeed, by people who were once what we used to call
"little rich kids", former members of the Bullingdon club (look it up in
Wikipedia). Indeed, five members of the current government went to my very
college. Now, I am moderately attached to and supportive of my college, but
I am also very aware of how one's upbringing affects one's attitude to life
and am skeptical that people who were as financially and socially privileged
as some of these can understand, even begin to solve, issues to do with
Britain's poor and underprivileged, or the structural-economic issues
involved with Lancashire, Yorkshire, Northumberland and Durham, or with
Scotland, indeed with any parts except London and enclaves of wealthy
people. Or even figure out what is right and what is wrong with the NHS, or
with state secondary education, neither of which any of them have ever had
to experience.

I, personally, believe that the NHS and the state education of the sort I
received are two of the great achievements in Britain of the last
century. And I do have personal experience of three health systems, and
three university systems, as well as intimate knowledge of features of
school systems, over decades in three very different countries - and of
course three newspaper systems - so I like to think my perspective is

Press first. I think the British press has given up its former partial role
as informer and arbiter of social reality (I am not quite sure how to phrase
it - the experience of reading a newspaper article and knowing you were
getting objective and moderately complete information through your reading
it) - a role which papers such as the NYT, Washington Post, and in Germany
FAZ and SZ still play, and which at least The Times used to play in GB and
no longer does (for example, The Times's extremely poor and quite
poorly-opinionated coverage of AF447, as compared with that of the NYT).
Now, the Brit/American Roger Cohen, who writes columns for the NYT and is
almost always worth reading, had an interesting perspective. A week ago, he
argued that Rupert Murdoch had been good for the British press, on the basis
that he had kept it alive and thriving at a point at which it could well
have died (he suggests that The Times would likely have disappeared were it
not for Murdoch). I think much of that may well be right - it is hard to see
how the newspaper business could have survived, given the then-demands of
the printers' unions, and Murdoch single-handedly changed that
situation. But the daily printed word seems to have become much less
trustworthy in the UK in a way in which, for example, the best newspapers
elsewhere (NYT, WP, SZ, FAZ) have not. Even the WSJ, another paper which can
be argued to have been Murdoch-rescued, has not succumbed. There just seems
to be something about the British press in which I suspect Murdoch&family to
have significant influence over content.

The NHS is being slowly destroyed, I think, through successive poor policy
and management over decades, and I think that state secondary school
education has been on the down for decades. I had some hopes for the
university system, which when I entered it was scholastic-inclined and
elitist, with intake some very few percent of the population, and after some
culture shock at entering a system which took some few percent of a very
different population, came to see the enormous advantages of a
higher-education system which addressed over 50% of school leavers (in
universities and community colleges, in almost all of which one could do the
first year or two of any university coursework at - then - no cost). So I
had hopes, for a decade or two, for the English university system, but
perceiving the conditions under which my English colleagues now work, and
what has happened to courses and coursework and now student fees, I can't
any longer say that I think things have improved. What I can say is that for
younger academics at the start of their careers the system is still
superior, more humane and more encouraging, than most or all of those in
continental Europe, or even the US. So that remains a beacon of hope (sorry
for the cliche). But for the general university situation, I can't see that
privileged rich kids can have much personal insight into the matters that
count: who should be going to university, why, and under what
conditions. And without personal insight and experience, I don't see how one
can distinguish policies that might work from those that won't. I can't see,
for example, any 18 year old who has been trying to manage a couple of quid
a week pocket money being able to make a well-informed decision that going
into debt for 9,000 per year plus living expenses is going to be at all
worth it for hisher future life. Maybe so for, say, law, microeconomics or
engineering, but not for, say, Eng. lit., Latin&Greek, French lit., German
lit., philosophy, or those other courses of study which one might imagine
would give a future lawyer, politician or civil servant some perspective on
the variety of life with which they will be dealing and train some important
skills such as producing a coherent argument, and being able to write
decently. In contrast, I *can* see that, very easily, for young Americans in
the same position. Let me just say that money plays a different role there;
enough that it was part of my culture shock when I got there.

So what is significant in this scandal?

1. The extent to which it has become clear how Britain is run by elites,
many of whom appear to move in the same social circles. At least Blair used
to hob-nob with rock stars, most of which are self-made people who were not
financially privileged when they started, and probably still remember what
life was like with mum and dad trying to figure out if the family could
afford to go on holiday that year, rather than what fun they used to have in
the Bullingdon club. But one cannot imagine either him or Brown regularly
lunching and partying with, say, the Gallagher brothers.

2. The extent to which it has become clear how British life is influenced by
those elites. You'll find articles about Paris Hilton's, Lindsay Lohan's and
Britney Spears's latest jaunts in the NYT also, but you will also find
technical details of GE Boiling Water Reactors and why they are susceptible
to this-and-that. The German press will point you to technical documents of
the German regulator and safety watchdog available on the WWW. Whereas one
will search the British press fruitlessly for any details concerning British
nuclear power plants.

3. The extent to which the police appear to have been influenced by those
elites. When I grew up, the bobby and the doctor were examples of public
servants who performed useful functions largely independently of anything
and anybody else (although of course there were always corrupt bobbies and
incompetent doctors). Wednesday, I read through the Home Affairs Select
Committee report and was astonished at the police behavior, which appears to
be collusive to an extraordinary extent at the highest levels. But maybe
those who have actually lived in Britain in the last two decades are less

4. The extent to which the old trope "I'm the top guy. I didn't know
anything about what was going on lower down" is nowadays used as a *defence*
of one's (in)actions. Thirty years ago, it was the major reason for
*resigning*! (As indeed Yates and Stephenson have done - so it still is to
some extent. And Hayman got hammered by the Home Affairs Select Committee
when he tried to use it, so someone still remembers the "old days".)

5. I am, though, pleased to see the effectiveness of Select Committees.
James Murdoch saying he had been advised by his consultants to tell the
truth (oh, well, nice to know you get advice from wise people,
Mr. Murdoch!). And two days later Crone and Myler contradicting his
"defence" as in point 4. Indeed, it is hard to believe any business person
agreeing to settle a privacy-invasion case for ten times the going rate
(Mosley won 60,000 against the NOTW in court at about the same time, and
even that was up to ten times the award of most successful privacy-invasion
suits), plus full legal expenses, without asking why. I think that makes
James Murdoch toast, business-wise, whatever the truth turns out to be. I
suspect he may even have to work a little to stay out of jail, but see point
3 above. So even though they may be pocketing taxpayers' money to have their
moats cleaned, some politicians are still able to do a decent job on *other
people's misdemeanors*.

6. There are the kinds of things which either makes one regret that one
didn't go into politics, or very relieved that one stayed out. The financial
collapse three years ago (which, by the way, I though was brilliantly
handled by Gordon Brown, alone amongst Western leaders). But there are also
the kind of things which lead me to general despair. This is one of
those. It's a "time to emigrate" moment. Except that I did, and now I'm
running out of places. Canada? It's cold and there's that bully to the
south. Australia? I'm not sure I have the energy to learn another new
language. New Zealand? All those sheep! But I'd feel at home with the

7. Maybe it's time to form a new political party for those who work hard,
pay their taxes, and expect them to go somewhere useful like health care,
care of the elderly, education, effective oversight of finance and critical
infrastructure, public transportation, and effective urban
reinvigoration. (Germany at least gets the last two right.) Wait a minute!
Didn't we have one of those? What happened to it?

Peter Bernard Ladkin, Professor of Computer Networks and Distributed Systems,
Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de


Date: Tue, 19 Jul 2011 10:05:19 -0700
From: Ashish Gehani <gehani@csl.sri.com>
Subject: Indian government uses Hotmail!

This may be of interest to Risks readers:


  [The outsourcees are outsourcers. Outsorcery is riskful. PGN]


Date: Tue, 19 Jul 2011 12:52:57 -0700
From: Gene Wirchenko <genew@ocis.net>
Subject: Skype Vulnerability

Jeremy Kirk, IDG News Service, InfoWorld Home, 15 Jul 2011

Update: Researcher claims dangerous vulnerability in Skype. The flaw could
allow an attacker to reset a Skype user's password and take control of their

A security consultant has notified Skype of a cross-site scripting flaw that
could be used to change the password on someone's account, according to
details posted online. Skype said it would issue a fix next week. ...

  [Fixed by now? PGN]


Date: Tue, 12 Jul 2011 2:28:35 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Booz Allen systems breached (Jason Ukman)

Anonymous claims it obtained military data in breach of Booz Allen systems
Jason Ukman, *The Washington Post*, 11 Jul 2011

The hacker group that calls itself Anonymous claimed Monday that it had
infiltrated the servers of Booz Allen Hamilton and obtained tens of
thousands of e-mail addresses and other sensitive data for military
personnel. In a new post on PirateBay, a site that hackers use to
distribute vast caches of data, the group dubbed the leak Military Meltdown
Monday. It claimed that it was surprisingly easy to hack into Booz's
systems and secure -- 90,000 military emails and password hashes. The data
appeared to include e-mail addresses, as well as encrypted versions of
passwords. <http://thepiratebay.org/torrent/6533009>

``In this line of work you'd expect them to sail the seven proxseas with a
 state-of-the-art battleship, right?'', the Anonymous post said in
 describing the firm's network defenses. ``Well, you may be surprised as
 were when we found their vessel being a puny wooden barge.''

Asked for comment, a spokesman for Booz directed The Washington Post to a
tweet by the company: ``As part of BoozAllen security policy, we generally
do not comment on specific threats or actions taken against our system.''

Because the passwords were encrypted, one of the greatest dangers of the
leak may be that the e-mail addresses could be used to contact military
personnel under false pretenses and lure them into revealing their
unencrypted passwords.

Booz, headquartered in Tysons Corner, is a major contractor for the Pentagon
and Department of Homeland Security.

Anonymous and its spin-off group, LulzSec, have claimed responsibility for a
string of attacks against private firms and government agencies. Earlier
this month, Anonymous claimed to have hacked the systems of a West
Virginia-based IT security company and acquired data from the Army, the
Navy, the Department of Justice and NASA.


Date: Tue, 19 Jul 2011 12:48:52 -0700
From: Gene Wirchenko <genew@ocis.net>
Subject: Do Not Track Not Being Followed (Grant Gross)

Is anyone surprised about this?

Grant Gross, IDG News Service, *InfoWorld*, 15 Jul 2011
Ad networks not honoring do-not-track promises
Some NAI members continue to leave tracking cookies on computers of
those who have opted out of targeted ads, a study says

Some online advertising networks continue to track Web users after tracking
opt-out requests, even though the networks have promised to honor those
questions, according to a new study from Stanford University's Center for
Internet Society. Eight members of the Network Advertising Initiative, a
cooperative of online marketing and analytics companies, promise to stop
tracking people who use the NAI's service to opt out of targeted
advertising, but continue to leave tracking cookies on those people's
computers, according to the study, published this week. ...

  [*The NY Times* has an article on 26 Jul 2011 on how the government is
  going after these folks. PGN]


Date: Wed, 13 Jul 2011 20:45:50 -0700
From: Mark Thorson <eee@sonic.net>
Subject: Man gets 18-year sentence for harassing neighbor through Wi-Fi

To get revenge on his neighbor, an ex-computer technician bought a Wi-Fi
hacking program, broke into his neighbor's network, and carried on a 2-year
campaign of harassment including making threats against vice-president Biden
that the Secret Service traced to the neighbor's IP address.

  [I'm wondering what the program does that makes hacking a Wi-Fi network so
  easy. MT] [No surprise here. PGN]


Date: Wed, 20 Jul 2011 08:11:32 +0800
From: jidanni@jidanni.org
Subject: Let's hope their code stays closed!

Smuggled out from a certain closed source project I help with:

"...Welcome to the club :-) Had big issues reproducing it as well, but
finally were able to by filling up my inbox with a bunch of fresh and
unanswered requests. The problem was caused in the code part that is
responsible for generating the expiring-request-warning-list in the side
bar and started a chain-row-effect by crashing the translation engine
which at the end of the chain scrambled the correct handing of
interactions with the reply buttons. So this bug wasn't an issue for all
the user base, just for the ones with a lot of unanswered requests. Cheers!"

Let's hope their code stays closed. [or bombarded with requests? PGN]


Date: Tue, 26 Jul 2011 09:58:34 -0700
From: Rob Seaman <seaman@noao.edu>
Subject: Decoupling Civil Timekeeping from Earth Rotation?

This meeting announcement is about as broad a computing issue in its impact
as any, and has received little attention outside of fields like astronomy
in which an obvious Y2K-like crisis looms.

Announcement for "Decoupling Civil Timekeeping from Earth Rotation"
Exton, PA USA, 5-6 Oct 2011

Researchers and engineers have organized a meeting on the proposed
redefinition of Coordinated Universal Time (UTC). Contributions are

There will be a final vote at the International Telecommunication Union
assembly in Geneva in January 2012 whether to cease issuing leap seconds.
This proposal has been discussed previously (e.g., RISKS 24.79 and 26.43),
but no public meeting has been held since 2003. The agenda will focus on
impacts of the change and possible engineering remediation strategies.

For more details, the International Earth Rotation Service has =
circulated the announcement:


There is a related article in the current issue of *American Scientist*

        (preprint: http://arxiv.org/pdf/1106.3141)

With no leap seconds, UTC would no longer provide actual Universal Time.
Systems that previously assumed UTC was UT, will need to distinguish the two
by introducing the correction known as DUT1. While Systems that already
include DUT1 will need to allow for it growing past the current 0.9s
Y2K-like limit. The proposal also eliminates the current distribution
scheme for DUT1.

Rob Seaman, National Optical Astronomy Observatory, Tucson, AZ


Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you. The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe. You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address. Instructions
 are included in the confirmation message. Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 26.50