RISKS Forum mailing list archives
Risks Digest 28.35
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 13 Nov 2014 15:30:59 PST
RISKS-LIST: Risks-Forum Digest Thursday 13 November 2014 Volume 28 : Issue 35 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.35.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: "Docking with a non-cooperative object" - Salyut 7 rescue (Ed Ravin) Ontario Provincial Police Recommend Ending Anonymity on the Internet (Michael Geist) Fire Eye Map of Very Recent Cyber Attacks (Alister Wm Macintyre) Peeping: 73K unsecured security cameras thanks to default passwords (Network World) ``Internet is a Dark and Ungoverned Space'' (Sir Bernard Hogan-Howe) quoted via Chris Drewe) German spy agency seeks millions to monitor social networks outside Germany and crack SSL (IT World) Users can't tell Facebook from a scam (ZDNet via NNSquad) Major new Windows TLS bug (Ars Technica) Microsoft reports CRITICAL Vulnerability in Windows 7/2003 and later TLS implementations (MS via Bob Gezelter) ISPs reportedly interfering with customer use of STARTTLS (RFC 3207) Kapersky reports sophisticated attacks using forged certificates against targeted high-value individuals (Bob Gezelter) ISPs Removing Their Customers' Email Encryption (EFF) "Apple security checks may still miss iWorm malware" (Jeremy Kirk via Gene Wirchenko) "Google releases tool to test apps, devices for SSL/TLS weaknesses" (Lucian Constantin) "Device loss, not hacking, poses greatest risk to health care data" (Serdar Yegulalp) "Home Depot says 53 million email addresses compromised during breach" (Steve Ragan) The Home Depot Reports Findings in Payment Data Breach Investigation (Jim Reisert) "Tor Project mulls over how law enforcement took down hidden websites" (Jeremy Kirk) Ontogeny recapitulates Prodigy? (Ed Ravin) Fearing Bombs That Can Pick Whom to Kill (NYT via Matthew Kruk) The $11M Tool That Could Help Computers Write Their Own Code (Klint Finley) Galois report on Internet voting hack (PGN) Re: Risks of assuming votes are accurate (Dimitri Maziuk, Steven Jay Klein) Re: Online voting rife with hazards (John Sebes) No risk of overturning a Senator's election due to dead voters (Mark E. Smith) Re: "Have we gotten so pathetically lame that you need to be notified by an email that your laundry is done?" (Bob Frankston) Re: $750k Fine for exporting crypto (Amos Shapir) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 9 Nov 2014 11:04:53 -0500 From: Ed Ravin <eravin () panix com> Subject: "Docking with a non-cooperative object" - Salyut 7 rescue How do you dock to a space station that has lost all power, when your docking procedure relies on telemetry from the station's computer and the expectation that the station will turn itself so its docking port faces the incoming spacecraft? "The following story happened in 1985 but subsequently vanished into obscurity. [...] After extensive research, writer Nickolai Belakovski is able to present, for the first time to an English-speaking audience, the complete story of Soyuz T-13âs mission to save Salyut 7, a fascinating piece of in-space repair history." http://arstechnica.com/science/2014/09/the-little-known-soviet-mission-to-rescue-a-dead-space-station/ ------------------------------ Date: Mon, 10 Nov 2014 11:52:16 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Ontario Provincial Police Recommend Ending Anonymity on the Internet (Michael Geist) MG via NNSquad http://www.michaelgeist.ca/2014/11/ontario-provincial-police-recommend-ending-anonymity-internet/ "Leaving aside the deeply troubling inference of requiring licences to the use the Internet in the same manner as obtaining a driver's licence, the police desire to stop online anonymity suggests that the OPP has not read the Supreme Court of Canada Spencer decision very carefully. If it had, it would know that not only does the court endorse a reasonable expectation of privacy in subscriber information, but it emphasizes the importance of online anonymity in doing so." The OPP: A "Dangerous Idiots" Award Winner! ------------------------------ Date: Sun, 9 Nov 2014 18:42:15 -0600 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Fire Eye Map of Very Recent Cyber Attacks Here is the map http://www.fireeye.com/cyber-map/threat-map.html Here is the explanation of the dots connected. http://www.fireeye.com/blog/uncategorized/2014/10/a-threatening-threat-map.html Some customers have given Fire Eye permission to share info about attacks they experienced. To mask customer identity, locations are represented as the center of the country in which they reside. There is nothing in the data that can be used to identify a customer or their origin city. I became interested in Fire Eye, when a breached place was determined to have purchased cyber security protection, then ignored alerts and warnings about vulnerabilities at high risk of being exploited, and the security companies were identified - had the breached place only acted on those warnings, it would not have been breached. Fire Eye was one of the cyber protection outfits named. ------------------------------ Date: Fri, 7 Nov 2014 10:17:06 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Peeping: 73K unsecured security cameras thanks to default passwords Network World (via NNSquad) http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html "There were lots of businesses, stores, malls, warehouses and parking lots, but I was horrified by the sheer number of baby cribs, bedrooms, living rooms and kitchens; all of those were within homes where people should be safest, but were awaiting some creeper to turn the "security surveillance footage" meant for protection into an invasion of privacy ... So many cameras are setup to look down into cribs that it was sickening; it became like a mission to help people secure them before a baby cam "hacker" yelled at the babies ... I'm unwilling to say how many calls I made, or else you might think I enjoy banging my head against the wall. It was basically how I spent my day yesterday. Too many times the location couldn't be determined, led to apartments, or the address wasn't listed in a reverse phone search. After too many times in a row like that, I'd switch to a business as it is much easier to pinpoint and contact ... One call was to a military installation. Since the view was of beautiful fall foliage, it seemed like a "safe" thing to find out if that camera was left with the default password on purpose. Searching for a contact number led to a site that was potentially under attack and resulted in a "privacy error." Peachy. Then I had two things to relay, but no one answered the phone. After finding another contact number and discussing both issues at length, I was told to call the Pentagon! Holy cow and yikes! ... Managers, don't shoot the messenger; a person out to hurt you might dig into a Linux box with root, but no exploit or hacking is needed to view the surveillance footage of your unsecured cameras! It's exceedingly rude to yell or accuse a Good Samaritan of "hacking" you. If your cameras are AVTech and admin is both username and password, or Hikvision "secured" with the defaults of admin and 12345, then you need to change that. Or don't and keep live streaming on a Russian site." [The usual countermeasure to this kind of attack is Peeping Duck. But ducking doesn't work very well. PGN] ------------------------------ Date: Sat, 08 Nov 2014 21:42:02 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: ``Internet is a Dark and Ungoverned Space'' There's a report in the newspaper of Sir Bernard Hogan-Howe, Metropolitan (London) Police Commissioner, speaking at an international terrorism conference in New York this week (Nov 6th). Among other things, he's quoted as saying "... the Internet is becoming a dark and ungoverned space in which too little is done to guard against... murders and terrorists, and called on technology firms to do more to provide online protection... the methods used by offenders... are in danger of making the Internet anarchic... we cannot allow parts of the Internet -- or any communications platform -- to become a dark and ungoverned space... in a democracy, we cannot accept any space -- virtual or not -- to become anarchic." Not sure what he wants; a Chinese-style firewall? This is taken from the print version, which is a summary of two longer on-line articles with slightly different words: http://www.telegraph.co.uk/news/uknews/law-and-order/11215149/Bobbies-on-the-beat-will-help-tackle-terrorism-says-Met-chief.html http://www.telegraph.co.uk/news/uknews/crime/11216093/Six-Britons-accused-of-running-online-drug-market-Silk-Road-2.0.html ------------------------------ Date: Mon, 10 Nov 2014 23:31:22 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: German spy agency seeks millions to monitor social networks outside Germany and crack SSL IT World via NNSquad http://www.itworld.com/article/2845603/german-spy-agency-seeks-millions-to-monitor-social-networks-outside-germany.html "The BND also wants to spend EUR4.5 million to crack and monitor HTTPS (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020 some of that money may be spent [on] the black market to buy zero day exploits, unpublicized vulnerabilities that can be exploited by hackers." Weren't the Germans complaining loudly about NSA? Oh well. ------------------------------ Date: Thu, 6 Nov 2014 07:44:40 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Users can't tell Facebook from a scam ZDNet via NNSquad http://www.zdnet.com/users-cant-tell-facebook-from-a-scam-7000035440/ "A new whitepaper from Bitdefender examined victims targeted in 850,000 Facebook scams. It turns out Facebook's user experience makes it easy for scammers to exploit users." ------------------------------ Date: Tue, 11 Nov 2014 17:10:44 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Major new Windows TLS bug (Ars Technica) Ars Technica via NNSquad http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bites-all-versions-of-windows-patch-now/ Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning. The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server. ------------------------------ Date: Tue, 11 Nov 2014 23:47:35 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Microsoft reports CRITICAL Vulnerability in Windows 7/2003 and later TLS implementations Microsoft Security Bulletin MS14-066 reports a Critical bug in its implementation of TLS on Windows 7/2003 and later systems. From the announcement: "Vulnerability in Schannel Could Allow Remote Code Execution This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server. This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software section. The security update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability. The report is at: https://technet.microsoft.com/library/security/MS14-066 The CVE reference for this problem is: CVE-2014-6321 - Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Wed, 12 Nov 2014 08:28:51 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: ISPs reportedly interfering with customer use of STARTTLS (RFC 3207) The EFF reports that some ISPs are apparently altering data in customer SMTP connections to remove the STARTTLS flag. The STARTTLS flag, defined in RFC 3207 switches SMTP connections from plaintext to TLS. By stripping the STARTTLS flag, the ISP disables encryption on the connection, enabling eavesdropping on the headers and the message body (if not otherwise encrypted with S/MIME or PGP). Several questions arise: - WHY? Is this being done on their own initiative, or is it being ordered by a third party? - As there was apparently no disclosure, is it legal? Unannounced modification of customer data streams has a number of implications in different domains, from legal to simple privacy. The EFF article is at: https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Tue, 11 Nov 2014 00:28:49 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Kapersky reports sophisticated attacks using forged certificates against targeted high-value individuals Kapersky Laboratories has reported the discovery of a long-running set of attacks targeted against senior executives using hotel (cabled and Wi-Fi) Internet access. Most disturbingly, the attacks involved forged certificates and were targeted at individuals, which implies systematic breaches beyond the attack itself. The mechanism involved targeted IFRAMEs from the network access gateway which users use to authenticate to the local property's network access. This would appear to be a case of precision targeted malware, something I wrote about in the "Computer Security Handbook, Fourth Edition" more than 10 years ago. Such malware is particularly pernicious, as it is not seen enough to be familiar to anti-virus vendors and thus detectable. It can only be detected by a very detailed review of the affected system(s). The report is at: https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf - Bob Gezelter, http://www. rlgsc.com ------------------------------ Date: Tue, 11 Nov 2014 18:53:55 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: ISPs Removing Their Customers' Email Encryption (EFF) EFF via NNSquad https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks "Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag--called STARTTLS--from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client." ------------------------------ Date: Mon, 10 Nov 2014 12:13:35 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Apple security checks may still miss iWorm malware" (Jeremy Kirk) Jeremy Kirk, Infoworld, 5 Nov 2014 New research says Gatekeeper and XProtect aren't entirely effective in protecting Mac OS X against iWorm malware http://www.infoworld.com/article/2843798/security/apple-security-checks-may-still-miss-iworm-malware.html ------------------------------ Date: Mon, 10 Nov 2014 12:16:38 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Google releases tool to test apps, devices for SSL/TLS weaknesses" (Lucian Constantin) Lucian Constantin, Infworld, 5 Nov 2014 The tool simulates man-in-the-middle attacks to detect SSL/TLS vulnerabilities and implementation issues http://www.infoworld.com/article/2843756/security/google-releases-tool-to-test-apps-devices-for-ssltls-weaknesses.html ------------------------------ Date: Mon, 10 Nov 2014 12:18:23 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Device loss, not hacking, poses greatest risk to health care data" (Serdar Yegulalp) Serdar Yegulalp, InfoWorld, 10 Nov 2014 California DOJ report on data breaches shows most losses in health care revolve around stolen devices, due to weak use of encryption http://www.infoworld.com/article/2844957/data-security/device-loss-not-hacking-puts-health-care-data-most-at-risk.html ------------------------------ Date: Tue, 11 Nov 2014 14:17:34 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Home Depot says 53 million email addresses compromised during breach" (Steve Ragan) Steve Ragan, Infoworld, 7 Nov 2014 In addition to 56 million payment cards, 53 million email addresses are added to the list of compromised data http://www.infoworld.com/article/2844514/security/home-depot-says-53-million-email-addresses-compromised-during-breach.html ------------------------------ Date: Thu, 6 Nov 2014 16:33:09 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: The Home Depot Reports Findings in Payment Data Breach Investigation ATLANTA, Nov. 6, 2014 /PRNewswire/ -- The Home Depot, the world's largest home improvement retailer, today disclosed additional findings related to the recent breach of its payment data systems. The findings are the result of weeks of investigation by The Home Depot, in cooperation with law enforcement and the company's third-party IT security experts. In addition to details previously released, the investigation to date has determined the following: * Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network. These stolen credentials alone did not provide direct access to the company's point-of-sale devices. * The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada. * In addition to the previously disclosed payment card data, separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information. https://finance.yahoo.com/news/home-depot-reports-findings-payment-213000609.html ------------------------------ Date: Tue, 11 Nov 2014 14:19:58 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Tor Project mulls over how law enforcement took down hidden websites" (Jeremy Kirk) Jeremy Kirk, Infoworld, 10 Nov 2014 The project doesn't have funding as yet to improve the security of hidden sites http://www.infoworld.com/article/2845008/security/tor-project-mulls-over-how-law-enforcement-took-down-hidden-websites.html opening text: Little is known about how U.S. and European law enforcement shut down more than 400 websites, including Silk Road 2.0, which used technology that hides their true IP addresses. The websites were set up using a special feature of the Tor network, which is designed to mask people's Internet use using special software that routes encrypted browsing traffic through a network of worldwide servers. ------------------------------ Date: Sun, 9 Nov 2014 23:41:49 -0500 From: Ed Ravin <eravin () panix com> Subject: Ontogeny recapitulates Prodigy? Monty Solomon wrote in about "Fall of the Banner Ad: The Monster That Swallowed the Web" in the NY Times, which claims the Web banner ad is 20 years old. I think it's a bit older than that. Anybody remember the Prodigy online service? Back in the 1980's, they were using banner ads - or perhaps we should call them footer ads as they usually occupied the bottom quarter of the screen. Here's a sample: http://cdn.theatlantic.com/assets/media/img/posts/2014/07/screenshot_games/5df26af65.png Back when I worked there, I had no idea how close that image was to the future of world-wide online services. Many of the other things Prodigy did turned out to be precursors of the modern Web -- online shopping, airline tickets, grocery orders, unscientific but absurdly popular online polls, and a nationwide content caching network built on IBM Series/1 minicomputers, with a bank of dialup modems in each one, at least ten years before Akamai had the same idea. All this was built with clunky technology about as efficient for the purpose as Roman numerals are for doing calculus. Prodigy was also ahead of their time when it came to getting statistics on user behavior - the software that ran the service on the user's PC sent back regular accounting data on what users were doing, the kind of stuff you might get now with Google Analytics, cookies, and Web bugs. Prodigy patented many of their software processes -- http://www.google.com/patents/US5347632 is one example, which describes the Prodigy "reception system", software running on the user's PC that had a role analogous to the modern Web browser. It didn't run Java or HTML, but it did download code written in Prodigy's proprietary "TBOL" language, and marked-up data in another proprietary format. Who knows, if they'd written that patent a little more broadly, they might be collecting licensing fees today from every copy of IE and Firefox. Interestingly, that patent also describes how Prodigy monitored user characteristics in order to target online ads. This patent was filed a year before Sergei Brin and Larry Page met at Stanford. Just like ontogeny was supposed to have recapitulated phylogeny, it looks like the Web's ontogeny has recapitulated Prodigy. ------------------------------ Date: Wed, 12 Nov 2014 12:08:50 -0700 From: "Matthew Kruk" <mkrukg () gmail com> Subject: Fearing Bombs That Can Pick Whom to Kill http://www.nytimes.com/2014/11/12/science/weapons-directed-by-robots-not-humans-raise-ethical-questions.html?emc=edit_th_20141112&nl=todaysheadlines&nlid=32604355&_r=0 ------------------------------ Date: Saturday, November 8, 2014 From: *Dewayne Hendricks* <dewayne () warpspeed com> Subject: The $11M Tool That Could Help Computers Write Their Own Code (Klint Finley) Klint Finley, *WiReD*, Nov 7 2014 (via Dave Farber) The $11M Tool That Could Help Computers Write Their Own Code <http://www.wired.com/2014/11/darpa-pliny/> Nowadays, if you start typing something into Google, it tries to guess what you're looking for. Type `Wi', and it might suggest Wikipedia. Key in `Bra', and it'll guess Brad Pitt. Yes, these autocomplete suggestions are sometimes hilariously off the mark, but more often than not, they're rather accurate, providing a handy shortcut to what you want. Now, a government-backed research team wants to provide similar suggestions to the world's programmers as they're writing computer code. That's right: the aim is to guess what programmers are coding before they code it. This week, Rice University said that DARPA, the Pentagon's mad science division, has invested $11 million in this autocomplete programming project, dubbed PLINY, after the ancient Roman author of the first encyclopedia, ``Text search prediction is the best analogy,''says Vivek Sarkar, the chair of the computer science department at Rice and the principal investigator on the project. `People will be able to will be able to pick from a list of possible solutions.'' That's right: the aim is to guess what programmers are coding before they code it. The project involves researchers from from Rice, the University of Texas-Austin, the University of Wisconsin-Madison, and the developer tools company GrammaTech. PLINY will index massive amounts of opens source code gathered from the web to power a prediction engine that the researchers hope will be able to predict what coders are about to type. It could also, in theory, spot bugs or security vulnerabilities. If successful, PLINY could be a boon to companies struggling to find enough qualified programmers to work on increasingly complex software projects. It's a problem a growing number of startups are trying to solve, ranging from code education companies like Codecademy to tools like Light Table that aim to make programming more intuitive. Microsoft and Beyond PLINY isn't the first attempt to build an autocomplete system for coders. Microsoft is working on something similar with its Bing Developer Assistant, which was released last summer. But Sarkar says PLINY is an even more ambitious project. ``Most others are just text analysis with some knowledge of code structure,'' he says. [Warren Teitelman's DWIM in Interlisp? PGN] Sarkar's team is trying to develop software that analyzes not only text, but also the concepts expressed in code, regardless of the programming language it's written in. Sarkar hopes this will enable PLINY to suggest even large chunks of code that can seamlessly integrate with what a developer has already written. Better still, it might correct security vulnerabilities and other mistakes. [...] ------------------------------ Date: Fri, 7 Nov 2014 16:42:47 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Galois report on Internet voting hack (The Kiniry in the Goal Mine? PGN) Joe Kiniry, Galois http://galois.com/wp-content/uploads/2014/11/technical-hack-a-pdf.pdf http://galois.com/blog/2014/11/hacking-internet-voting-via-ballot-tampering/ ------------------------------ Date: Thu, 06 Nov 2014 18:23:54 -0600 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: Risks of assuming votes are accurate (Motala, RISKS-28.34) Assume "only the citizens get to vote" is an essential principle of voting. Letting illegal immigrants eat allowed those individuals to survive to obtain a drivers license. Which in turn allowed them to register to vote. As a result these non-citizens are now able to vote. Non-citizens voting violates an essential principle. Violation of the essential principles is usually seen as damaging. QED Dimitri Maziuk, BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu ------------------------------ Date: Mon, 10 Nov 2014 14:00:31 -0500 From: Steven Jay Klein <steven () yourmacexpert com> Subject: Re: Risks of assuming votes are accurate (Motala, RISKS-28.34) On Nov 6, 2014, at 6:45 PM, RISKS List Owner <risko () csl sri com> wrote:
This is equivalent to saying "...there seemed to have been a false assumption that allowing illegal immigrants to eat would not have any deleterious effects (on voting)."
Not quite the same thing. In my state (and many others), drivers are offered the opportunity to register to vote when they obtain a drivers license. I have never been offered a voter registration form when buying groceries or dining in a restaurant. Also, in my state (and many others), voters are required to present a drivers license or other state ID. Issuing drivers licenses certainly facilitates illegal voting in a way that eating does not. ------------------------------ Date: Fri, 07 Nov 2014 10:29:31 -0800 From: John Sebes <jsebes () osetfoundation org> Subject: Re: Online voting rife with hazards (Shapir, RISKS-28.34) Responding to Amos on the constitutionality of a voter choosing to waive ballot secrecy for Internet voting .. IANAL but I do know a bit about elections. Ballot secrecy is a matter of state election law, not state of federal constitutional law. Following the chain 3 levels: * The U.S Constitution simply requires elections to happen, in Article 1 Section 2 and then says in Section 4 "The Times, Places and Manner of holding Elections for Senators and Representatives, shall be prescribed in each State by the Legislature thereof" and that's it for elections. * State constitutions sometimes define or constrain election procedures, but Alaska's does not: "Methods of voting, including absentee voting, shall be prescribed by law. Secrecy of voting shall be preserved." Article 5 Section 3, in other words, defers to state election law on particulars, and states a goal (without definition) "secrecy of voting." Since AK election law permits absentee voting, clearly the interpretation of secrecy is not absolute. * Alaska's state election laws specifically allow an individual to waive anonymity and indeed even integrity of their ballot, and further passes responsibility from state law to regulation adopted by the state election director. The law requires that the regulation "ensure the accuracy and, to the greatest degree possible, the integrity and secrecy of the ballot" ... ... which as we know for electronic transmission the greatest degree possible is "not a lot" in practice. (The same law specifies the message Amos noted with horror: "I understand that, by using electronic transmission to return my marked ballot, I am voluntarily waiving a portion of my right to a secret ballot to the extent necessary to process my ballot, but expect that my vote will be held as confidential as possible.") I didn't track down the regulation itself but I surmise that it follows election law, which permits any voter to vote absentee at their discretion, in allowing any absentee voter to use electronic transmission at their discretion. So in practice, Alaska allows an unbounded number of voters to cast a ballot where the integrity of the ballot need be only best-effort based on the capability of the local election officials. It's interesting to note that in the recent Senate contest, the margin of victory (based on current reports) is 8,149 out about 225,000 votes cast. A 3% margin sounds safe -- until you realize that it is only 8000 votes, and you wonder how many people voted by Internet, and if was indeed around 8000 people, who was running the servers that received and stored the digital ballots. Good thing that control of the Senate did not hinge on this contest :-) John Sebes, TrustTheVote Project, Open Source Election Technology Foundation ------------------------------ Date: Fri, 7 Nov 2014 10:02:19 +0800 From: "Mark E. Smith" <mymark () gmail com> Subject: No risk of overturning a Senator's election due to dead voters. In "Absentee ballot of deceased Boston mayor not counted," Wexelblat <wex () cs uml edu> wrote: "The big risk, of course is that some close election will be overturned after a year or so because it is determined that several voters who were presumed living on election day were ultimately discovered to have been dead. The implications of determining that sitting legislators, even Senators, were not actually elected ..." I don't know about local or state elections, but Congressional elections are governed by Article I, Section 5, of the Constitution which makes Congress the sole judge of the elections, returns, and qualifications of its sitting Members. Therefore, once a Member of Congress has been sworn into office only Congress itself, and not even the Supreme Court, can remove that Member. The candidate who should have won is free to file a Federal Election Appeal with Congress, but nobody else has any recourse. Once a Member has been sworn in, Congress is usually reluctant to unseat them no matter how fraudulent that Member's election may have been (as some may recall from the Clint Curtis case), so there is no risk of a sitting Senator being removed merely because of proof of dead voters. ------------------------------ Date: 6 Nov 2014 19:14:30 -0500 From: "Bob Frankston" <bob2-53 () bob ma> Subject: Re: "Have we gotten so pathetically lame that you need to be notified by an email that your laundry is done?" (RISKS-28.34) There are multiple issues here. One is the marketing frenzy of the buzzword IoT. Reminds me of gluing a tablet to a refrigerator and marking it up to $6000 as an Internet device. Closely related is the moral judgment by those who take the contrived stories seriously. The bigger risk, though is the one I wrote about in http://rmf.vc/CILight -- the need to create high value applications because no one wants to be in the business of providing enabling technology and infrastructure like we got with IP and HTML. You can invest a lot of money to make such applications work. That is why today's IoT is full of non-synergistic point solutions. Some are very clever but many are like the smart systems in cars and are prisoners of history. They create the illusion of the NBT (Next Big Thing) but it's going to take a while to work through the myriad of new risks. At least this digest will get lots of content ... ------------------------------ Date: Tue, 11 Nov 2014 11:04:37 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: $750k Fine for exporting crypto I used to work at a development center in Israel of a US company. I once traveled to a show in NYC carrying a sample product in my luggage, which was developed and built in Israel; on the way back, I had to leave it with the US customs because it was considered too advanced to be exported! Considering the history of some of the most popular encryption algorithms and products (e.g., RSA), it would be ironic if among the products banned by the BIS, were one which was invented in Israel, developed in Russia, designed in South Korea and produced in China... ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.35 ************************
Current thread:
- Risks Digest 28.35 RISKS List Owner (Nov 13)