The RISKS Digest
Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 30 Issue 89
Tuesday 30 October 2018
Contents
- MTR East Rail disruption caused by failure of both primary and backup
- Hong Kong Free Press
- Train stops in exactly the wrong place
- Mark Brader
- Texas straight-ticket voters report ballot concerns
- Arthur Flatau
MikeA - Australian risks of voting systems
- Sheldon
- Re: U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections
- Monty Solomon
- Tech support—Hubble telescope
- Rob Slade
- Login glitch behind Tokyo Stock Exchange snafu
- Nikkei Asian Review
- State surveillance company leaked its own data, its customers’ data, and its customers’ victims’ data
- BoingBoing
- "New Windows 10 1809 bug: Zip data-loss flaw is months old but Microsoft missed it"
- Liam Tung via Gene Wirchenko
- Car Interfaces
- Gabe Goldberg
- Driverless cars: Who should die in a crash?
- bbc.com
- Every minute for three months, GM secretly gathered data on 90,000 drivers’ radio-listening habits and locations
- BoingBoing
- Surgery students ‘losing dexterity to stitch patients’
- bbc.com
- In Cyberwar, There are No Rules
- Foreign Policy
- Lawmakers Seek Review of Pentagon Contract Thought to Favor Amazon
- WiReD
- The customer is always right … re: Apple iPhones
- Rob Slade
- Fun with source code
- Medium
- A Dark Consensus About Screens and Kids Begins to Emerge in Silicon Valley
- The New York Times
- When Trump Phones Friends, the Chinese and the Russians Listen and Learn
- NYTimes
- Apple appears to have blocked GrayKey iPhone hacking tool
- Lucas Mearian
- Re: Toward Human-Understandable, Explainable AI
- DJC
- Re: Explainable AI Simulation for AVs
- Richard Stein
- Info on RISKS (comp.risks)
MTR East Rail disruption caused by failure of both primary and backup (Hong Kong Free Press)
Richard Stein <rmstein@ieee.org>Mon, 29 Oct 2018 22:06:46 +0800
https://www.hongkongfp.com/2018/01/11/mtr-east-rail-disruption-caused-failure-primary-backup-servers/
Train stops in exactly the wrong place (Modern Railways)
Mark Brader <msb@vex.net>Mon, 29 Oct 2018 14:56:29 -0400
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
Texas straight-ticket voters report ballot concerns
Arthur Flatau <flataua@acm.org>Sat, 27 Oct 2018 08:07:15 -0500
Austin American Statesman The idea that using hitting a button or other control while a screen is rendering is a user error is astounding. If the machine incorrectly interprets user input it is a bug plain and simple. Amid scattered complaints by straight-ticket early voters of both parties that their ballots did not, at first, correctly record their choice of either Democrat Beto O'Rourke or Republican Ted Cruz for U.S. Senate, state and local election officials are cautioning voters to take their time in voting and check the review screen for accuracy before casting ballots. The elections officials say the problems resulted from user error in voting on the Hart eSlate machines widely used in Texas—including in Travis, Hays and Comal counties—and are not the result of a machine glitch or malfunction. “The Hart eSlate machines are not malfunctioning,'' said Sam Taylor, communications director for the Texas secretary of state's office. “The problems being reported are a result of user error—usually voters hitting a button or using the selection wheel before the screen is finished rendering.'' Taylor said the office is aware of a handful of complaints and that the voters were able to correct their ballots before casting their votes. https://www.statesman.com/news/20181026/texas-straight-ticket-voters-report-ballot-concerns [On the other hand, this explanation might be somewhat evasive. For example, see Kim Zetter' article on this subject: Voters in Texas aren't to blame for vote-switching in Cruz/O'Rourke race; a software issue known as a race condition or concurrency bug is, says Dan Wallach, who notes machine vendor failed to fix this and many other problems found with the Hart machines at least ten years ago. https://twitter.com/KimZetter/status/1057332585313910785 Note: Dan Wallach, Rebecca Mercuri, and I testified before the Houston City Council in July 2001 on why the these machines (still in use today) were likely to be vulnerable. PGN]
Texas straight-ticket voters report ballot concerns (RISKS-30.89)
mikea <mikea@mikea.ath.cx>Thu, 25 Oct 2018 20:59:15 -0500
People have been talking about voting machines registering a vote other than the one the voter intended. It happened to a friend in Collin County, Texas. She voted Straight Democratic Party on an electronic voting machine, and had her votes change to all Republican candidates for the same positions. It was good that she noticed this before she actually hit the button to register her votes. She noticed that the process was repeatable: straignt Democratic party changed to straight Republican party a second time, called an election judge over, and demonstrated it a third time. The election judge reluctantly took that voting machine out of service. I find myself wondering if the same thing happened to others who *didn't* notice before they completed the vote using that machine. My more paranoid self, noting that these machines have no paper ballots as a permanent record, wonders if the machine was somehow rigged to change straignt Democratic to straight Republican—the more so because Collin County is pure, saturated RGB=(255,0,0) Republican. It also wonders how many more machines did the same change. My _extremely_ paranoid self wonders if there are documents circulating among a small subset of election officials, with titles like "How to rig FooCorp voting machines to help your side". An acquaintance who works for the election board in a Georgia county tells me that the reports that votes for the Democratic candidate for Governor were, at the ultimate moment being changed *in the voting machine* to votes for the Republican candidate—again, on all-electronic machines that dont use paper ballots and have no audit trail. Paper ballots make true recounts possible. Who controls these voting machines controls the election.
Australian risks of voting systems (RISKS-30.88)
Sheldon <sheldon10101@gmail.com>Tue, 23 Oct 2018 22:44:19 -0400
The Australian experience with counting votes will not work for the US. I've been a DRO, someone who has run a poll, at Canadian Federal, Provincial and Municipal Elections. Counting by hand the less than 200 ballots for a Federal or Provincial election was no problem. There is a paper ballot and one office to count. I told the scrutineers (partisans who watched the count) that they had a few seconds to look at a ballot and object. Then, I'd decide. If they didn't like the decision, that ballot went an envelope for disputed ballots along with spoiled ballots. In case the vote was very, very close, they first looked at those questionable ballots.I was one of the first to get my ballot box back to the riding office. Counting by hand a municipal election where there were two different ballots and 5 offices on a ballot was a nightmare. After doing one, I never did another one. Now there are still two different ballots but, the ballots are counted by OCR. The Election lists are maintained by a non-partisan body. There are ID requirements but, with the liberals in power, very little is required. In the past, the position of election officials on the day of the election was partisan. Now, they are happy to take anyone. Of course, with the mad Doug Ford in power in Ontario, no one knows where his madness will lead. Ontario elected an idiot knowing he was an idiot. We just didn't know how much of an idiot he would be.
Re: U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections (Solomon, RISKS-30.84)
Richard Stein <rmstein@ieee.org>Wed, 24 Oct 2018 18:06:58 +0800
https://techcrunch.com/2018/10/23/first-cyber-operation-gentle-approach-russian-trolls/ A line in a CV stating: "Recipient of US Cyber Command email advising to cease and desist election interference, and immediately end trolling in OCT2018" must be an honor among the Russian cyberwarrior cognoscenti. RISK: Does it justify a salary raise request?
Tech support—Hubble telescope
Rob Slade <rmslade@shaw.ca>Thu, 25 Oct 2018 12:10:07 -0700
Two weeks ago, the Hubble telescope experienced a gyroscope failure. Hubble has been very important, and has contributed enormously to our understanding of the universe. This is a hugely expensive device, which has had problems in the past. It's up in space where you can't exactly get someone to go and hit it with a hammer in hopes it'll start working again. NASA has tried a number of sophisticated procedures to get Hubble functioning again. They haven't worked. Now NASA has turned it off, and back on again. https://gizmodo.com/hubble-telescope-s-broken-gyroscope-seemingly-fixed-aft-1829934018 or https://is.gd/JgwOMu Hubble is working again ... When I'm dying in hosptial I want them to unplug all the tubes and plug them back in and see if that works ...
Login glitch behind Tokyo Stock Exchange snafu (Nikkei Asian Review)
Gabe Goldberg <gabe@gabegold.com>Tue, 30 Oct 2018 14:58:54 -0400
https://asia.nikkei.com/Business/Markets/Login-glitch-behind-Tokyo-Stock-Exchange-snafu
State surveillance company leaked its own data, its customers’ data, and its customers’ victims’ data (BoingBoing)
Lauren Weinstein <lauren@vortex.com>Wed, 24 Oct 2018 11:44:41 -0700
via NNSquad https://boingboing.net/2018/10/24/20-gb-of-internal-data.html
"New Windows 10 1809 bug: Zip data-loss flaw is months old but Microsoft missed it"
Gene Wirchenko <genew@telus.net>Tue, 23 Oct 2018 18:31:07 -0700
Liam Tung, ZDNet, 23 Oct 2018 https://www.zdnet.com/article/new-windows-10-1809-bug-zip-data-loss-flaw-is-months-old-but-microsoft-missed-it/ A Feedback Hub user reported the latest Windows 10 October 2018 Update bug three months ago. Microsoft has fixed the issue in preview builds of the 19H1 version of Windows 10, so it should be fixed in 1809 soon. opening text: Windows 10 version 1809 update is still on ice due to the data-deletion bug embarrassingly missed by Microsoft during preview testing. But the few users who did get the Windows 10 October 2018 Update have now discovered its built-in zip tool is doing weird things when copying files. As one 1809 user reported on Reddit, this version of Windows 10 is missing the 'Do you want to replace these files' dialog when copying from a zip archive to a folder with an identically named file in it. The problem only seems to affect the built-in zip tool in Windows File Explorer rather than third-party zip tools. The dialog is an important flag when transferring a lot of files, since it's an opportunity for the user to choose whether to replace the identical file, skip replacing the file, or compare the information stored in both files before taking any action. Without the dialog, it could be easy to unintentionally overwrite non-identical files.
Gabe Goldberg <gabe@gabegold.com>
Thu, 25 Oct 2018 15:29:00 -0400
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
Driverless cars: Who should die in a crash? (bbc.com)
Richard Stein <rmstein@ieee.org>Sun, 28 Oct 2018 12:51:47 +0800
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
Every minute for three months, GM secretly gathered data on 90,000 drivers’ radio-listening habits and locations (BoingBoing)
Lauren Weinstein <lauren@vortex.com>Tue, 23 Oct 2018 11:11:03 -0700
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
Surgery students ‘losing dexterity to stitch patients’ (bbc.com)
Richard Stein <rmstein@ieee.org>Tue, 30 Oct 2018 10:53:50 +0800
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
In Cyberwar, There are No Rules (Foreign Policy)
Richard Stein <rmstein@ieee.org>Fri, 26 Oct 2018 10:55:32 +0800
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
Lawmakers Seek Review of Pentagon Contract Thought to Favor Amazon (WiReD)
Gabe Goldberg <gabe@gabegold.com>Sun, 28 Oct 2018 21:44:23 -0400
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
The customer is always right … re: Apple iPhones
Rob Slade <rmslade@shaw.ca>Fri, 26 Oct 2018 10:59:22 -0700
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
Fun with source code (Medium)
Gabe Goldberg <gabe@gabegold.com>Sun, 28 Oct 2018 15:46:23 -0400
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
A Dark Consensus About Screens and Kids Begins to Emerge in Silicon Valley (The New York Times)
Richard Stein <rmstein@ieee.org>Mon, 29 Oct 2018 21:53:57 +0800
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
When Trump Phones Friends, the Chinese and the Russians Listen and Learn (NYTimes)
Lauren Weinstein <lauren@vortex.com>Wed, 24 Oct 2018 16:35:22 -0700
According to a short item on page 87 of the October issue of "Modern Railways", on August 21 a suspected shoplifter was chased into a train tunnel at Amsterdam's Schiphol Airport, requiring the train service to be temporarily shut down. But when they went to restart it, the entire computerized train management system crashed and would not come back up. As a result, all trains throughout the greater Amsterdam area were halted from some time in the evening rush hour until after midnight when the bug was finally identified and fixed. "It transpired", the article says, "that one train had been stopped at exactly the point where the software determines which platform a train should use" and hence "the software continuously detected a train arriving at the spot and proceeded to try and allocate the non-existent arrival (the train was already there!) 32,000 times before the system crashed."
"Apple appears to have blocked GrayKey iPhone hacking tool" (Lucas Mearian)
Gene Wirchenko <genew@telus.net>Tue, 30 Oct 2018 13:05:51 -0700
Austin American Statesman The idea that using hitting a button or other control while a screen is rendering is a user error is astounding. If the machine incorrectly interprets user input it is a bug plain and simple. Amid scattered complaints by straight-ticket early voters of both parties that their ballots did not, at first, correctly record their choice of either Democrat Beto O'Rourke or Republican Ted Cruz for U.S. Senate, state and local election officials are cautioning voters to take their time in voting and check the review screen for accuracy before casting ballots. The elections officials say the problems resulted from user error in voting on the Hart eSlate machines widely used in Texas—including in Travis, Hays and Comal counties—and are not the result of a machine glitch or malfunction. “The Hart eSlate machines are not malfunctioning,'' said Sam Taylor, communications director for the Texas secretary of state's office. “The problems being reported are a result of user error—usually voters hitting a button or using the selection wheel before the screen is finished rendering.'' Taylor said the office is aware of a handful of complaints and that the voters were able to correct their ballots before casting their votes. https://www.statesman.com/news/20181026/texas-straight-ticket-voters-report-ballot-concerns [On the other hand, this explanation might be somewhat evasive. For example, see Kim Zetter' article on this subject: Voters in Texas aren't to blame for vote-switching in Cruz/O'Rourke race; a software issue known as a race condition or concurrency bug is, says Dan Wallach, who notes machine vendor failed to fix this and many other problems found with the Hart machines at least ten years ago. https://twitter.com/KimZetter/status/1057332585313910785 Note: Dan Wallach, Rebecca Mercuri, and I testified before the Houston City Council in July 2001 on why the these machines (still in use today) were likely to be vulnerable. PGN]
Re: Toward Human-Understandable, Explainable AI (RISKS-30.88)
DJC <djc@resiak.org>Thu, 25 Oct 2018 09:57:27 +0200
Austin American Statesman The idea that using hitting a button or other control while a screen is rendering is a user error is astounding. If the machine incorrectly interprets user input it is a bug plain and simple. Amid scattered complaints by straight-ticket early voters of both parties that their ballots did not, at first, correctly record their choice of either Democrat Beto O'Rourke or Republican Ted Cruz for U.S. Senate, state and local election officials are cautioning voters to take their time in voting and check the review screen for accuracy before casting ballots. The elections officials say the problems resulted from user error in voting on the Hart eSlate machines widely used in Texas—including in Travis, Hays and Comal counties—and are not the result of a machine glitch or malfunction. “The Hart eSlate machines are not malfunctioning,'' said Sam Taylor, communications director for the Texas secretary of state's office. “The problems being reported are a result of user error—usually voters hitting a button or using the selection wheel before the screen is finished rendering.'' Taylor said the office is aware of a handful of complaints and that the voters were able to correct their ballots before casting their votes. https://www.statesman.com/news/20181026/texas-straight-ticket-voters-report-ballot-concerns [On the other hand, this explanation might be somewhat evasive. For example, see Kim Zetter' article on this subject: Voters in Texas aren't to blame for vote-switching in Cruz/O'Rourke race; a software issue known as a race condition or concurrency bug is, says Dan Wallach, who notes machine vendor failed to fix this and many other problems found with the Hart machines at least ten years ago. https://twitter.com/KimZetter/status/1057332585313910785 Note: Dan Wallach, Rebecca Mercuri, and I testified before the Houston City Council in July 2001 on why the these machines (still in use today) were likely to be vulnerable. PGN]
Re: Explainable AI Simulation for AVs
Richard Stein <rmstein@ieee.org>Thu, 25 Oct 2018 18:37:52 +0800
Austin American Statesman The idea that using hitting a button or other control while a screen is rendering is a user error is astounding. If the machine incorrectly interprets user input it is a bug plain and simple. Amid scattered complaints by straight-ticket early voters of both parties that their ballots did not, at first, correctly record their choice of either Democrat Beto O'Rourke or Republican Ted Cruz for U.S. Senate, state and local election officials are cautioning voters to take their time in voting and check the review screen for accuracy before casting ballots. The elections officials say the problems resulted from user error in voting on the Hart eSlate machines widely used in Texas—including in Travis, Hays and Comal counties—and are not the result of a machine glitch or malfunction. “The Hart eSlate machines are not malfunctioning,'' said Sam Taylor, communications director for the Texas secretary of state's office. “The problems being reported are a result of user error—usually voters hitting a button or using the selection wheel before the screen is finished rendering.'' Taylor said the office is aware of a handful of complaints and that the voters were able to correct their ballots before casting their votes. https://www.statesman.com/news/20181026/texas-straight-ticket-voters-report-ballot-concerns [On the other hand, this explanation might be somewhat evasive. For example, see Kim Zetter' article on this subject: Voters in Texas aren't to blame for vote-switching in Cruz/O'Rourke race; a software issue known as a race condition or concurrency bug is, says Dan Wallach, who notes machine vendor failed to fix this and many other problems found with the Hart machines at least ten years ago. https://twitter.com/KimZetter/status/1057332585313910785 Note: Dan Wallach, Rebecca Mercuri, and I testified before the Houston City Council in July 2001 on why the these machines (still in use today) were likely to be vulnerable. PGN]
2
Please report problems with the web pages to the maintainer
Top