Because of rampant security vulnerabilities, ever-present risks of misuse by insiders, and possibilities for penetrations by outsiders, there are many needs for comprehensive computer system accountabilitythat is, the ability to know definitively what is transpiring, particularly during and after accidents and intentional misuse. Unfortunately, security typically focuses overly on confidentiality, with integrity, availability, strong authentication, authorization, correctness, and accountability dragging way behind. Here, we consider the potential importance of the design, implementation, and operation of policies and mechanisms for accountability that resist being compromisedespecially by knowledgeable trusted insiders. We illustrate this by considering the situation surrounding the recent Pick-Six betting scam involving the Breeders' Cup horse race.
A $3-million Pick-Six payoff over six races ending with the high-stakes Breeders' Cup race seemed rather suspicious, because the Pick-Six winner also picked many consolation bets of five winners. Subsequent investigation showed that an unusual combination bet had been placed by telephone through an off-track betting (OTB) site in Catskill, N.Y. The results of the first four races had been chosen exactly (including two long-shot winners of 13-to-1 and 26-to-1), and the bets on the remaining two races covered every possible combination.
Autotote's software is used by most U.S. off-track horse-race betting sites. Because the Autotote OTB system transmits bets to the central system only after the completion of the fourth race in the Pick-Six cycle, it was concluded that the "winner" had placed a combination bet of w,x,y,z,*,* (for an arbitrary choice of horses w, x, y, and z, with a wild card [*] of multiple bets over all possible horses in the last two races); then, after the results of the first four races were known (let's define them as A, B, C, D), but before the data transfer occurred, someone with access to the OTB system changed w,x,y,z to A,B,C,D. This resulted not only in the Pick-Six winner, but also in multiple consolation winners.
Accountability? Unfortunately, there is no bet-specific audit trail on telephoned OTB bets, although a spokesman for Autotote had insisted that it was "absolutely impossible" to hack into the system! So, you might ask, had anything like this happened previously? Indeed, there had been a previous Pick-Six payoff from the same OTB site and a similar earlier case in a Pick-Four. Furthermore, all of the participants in these instances were fraternity buddies from their days at Drexel University, and one of them was already under suspicion. It was also determined that they had forged tickets and collected on yet-unclaimed winning bets. The "someone" with access to the OTB system was a former Autotote employee who has pleaded guilty to two counts; his conspirators have also admitted their guilt.
In betting systems and financial systems generally, an inherent need exists for rigorous accountability. Many other applications previously discussed in this space also illustrate the criticality of integrity and accountability. For example, fully electronic voting systems are an example of "self-auditing" products that, due to their anonymity requirements, need vigilant oversight and independent accountability rather than the almost total lack of assurance they provide today. ("Trust us," the vendors say.) Also, mounting privacy concerns (including the proposed Total Information Awareness effort) are another huge problem area. Unfortunately, although access controls and database accountability might help sometimes to identify the perpetrators of violations, many privacy invasions involve untraceable human actions outside of computer systems.
Several lessons are evident. In many critical applications, risks of misuse by people with insider knowledge are widely ignored; so are the risks of outsiders who can easily become insiders, because of the lack of adequate internal security. System designs that seriously ignore accountability are particularly at risk, because of the difficulties of detecting and tracing misuse. Where they exist, audit trails must be strongly tamper resistant, or else they are themselves subject to manipulation. Physical traceability, paper trails, and truly independent, unbiased, objective, and honest security audits by experts can also be helpful. Proprietary closed-source software systems are inherently suspect without meaningful accountability. In short, noncompromising accountability can often be invaluablealthough it presents serious opportunities for invasions of privacy that must also be addressed.
©2003 ACM 0002-0782/03/0200 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2003 ACM, Inc.
No entries found