RISKS-LIST: Risks-Forum Digest Tuesday 26 July 2011 Volume 26 : Issue 50 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.50.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents National Popular Vote -- Needs Governor Brown's Veto (Rebecca Mercuri) New Court Filing Reveals How the 2004 Ohio Presidential Election Was Hacked (Bob Fitrakis via Monty Solomon) Software Designer Reports Error in Anthony Trial (Lizette Alvarez via PGN) Computer problems may trump debt ceiling (Mark Thorson) The British Phone Hacking Scandal (Peter Bernard Ladkin) Indian government uses Hotmail! (Ashish Gehani) Skype Vulnerability (Gene Wirchenko) Booz Allen systems breached (Jason Ukman via PGN) Do Not Track Not Being Followed (Grant Gross via Gene Wirchenko) Man gets 18-year sentence for harassing neighbor through Wi-Fi (Mark Thorson) Let's hope their code stays closed! (jidanni) Decoupling Civil Timekeeping from Earth Rotation? (Rob Seaman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 17 Jul 2011 16:46:19 -0400 From: RTMercuri <notable_at_private> Subject: National Popular Vote -- Needs Governor Brown's Veto Please take action in informing Governor Brown why AB 459 must be vetoed. We stopped this in 2006. It needs to be stopped again! RM. [This was apparently presented to the Governor at 1:30pm PDT on 25 Jul. PGN] Rebecca Mercuri, National Popular Vote Returns to California, 17 Jul 2011 Back in 2006, the National Popular Vote (NPV) Proposal was thoughtfully vetoed in California when its incarnation (as AB 2948) crossed Governor Schwarzenegger's desk. Unfortunately, this legislative whack-a-mole has returned again to the Eureka state, this time in the form of AB 459, now awaiting signing by Governor Jerry Brown. This passage would inch the likely unconstitutional movement ever closer to the 270 electoral votes necessary to activate its bogus plan. For those who are unaware of the dangers of NPV, essentially it will require pooling of the popular votes for U.S. Presidential candidates, among the states that have enacted the bill, requiring that all of these states collectively cast their electoral votes for the singular popular vote winner of the pool. In other words, the popular vote winner in each individual state will be entirely IGNORED, if the pooled votes' result is not the same. An early proponent behind the NPV movement was well-known Presidential election "spoiler" John B. Anderson. Anderson is also an outspoken supporter of Instant Runoff Voting (IRV), another tabulation method that disregards the "first choices" of voters in favor of an aggregated result. Touted as a way to "level the playing field" between the states, NPV supporters use fuzzy math claims in order to reject other more plausible and fair schemes (such as dividing the electors within each state as to their proportion of the different candidate votes) that do not require "winner-take-all" or interstate pooling methodologies. One need only recall the fuzzy math that Hillary Clinton's camp used in attempting to exclude caucus states from the national popular vote in the 2008 Democratic primary, in order to gauge the level of shenanigans that are likely to occur once an enormous block of electoral votes comes into play. As I (and others) had earlier informed Governor Schwarzenegger "Already, the westernmost states have less of a say in the Presidential elections due to early disclosures of vote totals and polling data from the states in earlier time zones. This bill further reduces the impact or even necessity of Californians in the decision process. Even more dangerously, states that have inadequate or inferior election equipment or auditing processes may adversely influence the vote totals, such that an incorrect popular vote could be used to determine California's electors." All of this is still true with the current version of the bill. Your help is URGENTLY needed now in informing Governor Brown why AB 459 must NOT become law. The contact information is: Governor Jerry Brown, c/o State Capitol, Suite 1173, Sacramento, CA 95814; Phone: (916) 445-2841; Fax: (916) 558-3160. Rebecca Mercuri, Ph.D. ------------------------------ Date: Tue, 26 Jul 2011 10:47:56 -0400 From: Monty Solomon <monty_at_private> Subject: New Court Filing Reveals How the 2004 Ohio Presidential Election Was Hacked Bob Fitrakis, *The Free Press*, 20 Jul 2011 A new filing in the King Lincoln Bronzeville v. Blackwell case includes a copy of the Ohio Secretary of State election production system configuration that was in use in Ohio's 2004 presidential election when there was a sudden and unexpected shift in votes for George W. Bush. The filing also includes the revealing deposition of the late Michael Connell. Connell served as the IT guru for the Bush family and Karl Rove. Connell ran the private IT firm GovTech that created the controversial system that transferred Ohio's vote count late on election night 2004 to a partisan Republican server site in Chattanooga, Tennessee owned by SmarTech. That is when the vote shift happened, not predicted by the exit polls, that led to Bush's unexpected victory. Connell died a month and a half after giving this deposition in a suspicious small plane crash. Additionally, the filing contains the contract signed between then-Ohio Secretary of State J. Kenneth Blackwell and Connell's company, GovTech Solutions. Also included that contract a graphic architectural map of the Secretary of State's election night server layout system. ... http://freepress.org/departments/display/19/2011/4239 http://freepress.org/images/departments/4237/ClevExIArchMap2004Ohioelection.pdf http://freepress.org/images/departments/4237/SmartechRoutingOH04.pdf ------------------------------ Date: Mon, 25 Jul 2011 19:03:51 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Software Designer Reports Error in Anthony Trial (Lizette Alvarez) Lizette Alvarez, *The New York Times* nat'l edition, A14, 19 Jul 2011 [PGN-ed] In the Casey Anthony trial, the prosecution repeatedly emphasized that the defendant had conducted 84 searches on the word `chloroform'. However, John Bradley (who created the CacheBack software that could have been used by the prosecution to validate their use of the number 84) had declared during the trial that the software actually came up with the number 1: only one such search -- through Google, which then led to a website which was itself searched only once. Bradley reported that finding to the court, but it was never presented to the jury and the record never corrected. Apparently, the prosecution never attempted to verify their number, using that software 84. ------------------------------ Date: Thu, 7 Jul 2011 22:15:50 -0700 From: Mark Thorson <eee_at_private> Subject: Computer problems may trump debt ceiling According to this article, the difficulty of reprogramming the computers at the Treasury department may prevent that department from obeying the debt ceiling, even if Congress doesn't raise it. http://blogs.reuters.com/felix-salmon/2011/07/07/what-happens-on-august-3/ The risk is having a system designed under the assumption that the debt ceiling will always be raised, compounded by the risk of having an incentive against implementing the flexibility needed to accommodate the ceiling not being raised. Or maybe the risk is having Congressmen who believe there really is a debt ceiling. ------------------------------ Date: Fri, 22 Jul 2011 08:08:45 +0200 From: Peter Bernard Ladkin <ladkin_at_private-bielefeld.de> Subject: The British Phone Hacking Scandal I have been following the scandal closely, because of what it says or does not say about modern Britain. Everyone notes wryly the French "corporate state" being run by ENiAcs, but few people have noted how Britain has reverted to being run by Oxbridge graduates - this time, indeed, by people who were once what we used to call "little rich kids", former members of the Bullingdon club (look it up in Wikipedia). Indeed, five members of the current government went to my very college. Now, I am moderately attached to and supportive of my college, but I am also very aware of how one's upbringing affects one's attitude to life and am skeptical that people who were as financially and socially privileged as some of these can understand, even begin to solve, issues to do with Britain's poor and underprivileged, or the structural-economic issues involved with Lancashire, Yorkshire, Northumberland and Durham, or with Scotland, indeed with any parts except London and enclaves of wealthy people. Or even figure out what is right and what is wrong with the NHS, or with state secondary education, neither of which any of them have ever had to experience. I, personally, believe that the NHS and the state education of the sort I received are two of the great achievements in Britain of the last century. And I do have personal experience of three health systems, and three university systems, as well as intimate knowledge of features of school systems, over decades in three very different countries - and of course three newspaper systems - so I like to think my perspective is informed. Press first. I think the British press has given up its former partial role as informer and arbiter of social reality (I am not quite sure how to phrase it - the experience of reading a newspaper article and knowing you were getting objective and moderately complete information through your reading it) - a role which papers such as the NYT, Washington Post, and in Germany FAZ and SZ still play, and which at least The Times used to play in GB and no longer does (for example, The Times's extremely poor and quite poorly-opinionated coverage of AF447, as compared with that of the NYT). Now, the Brit/American Roger Cohen, who writes columns for the NYT and is almost always worth reading, had an interesting perspective. A week ago, he argued that Rupert Murdoch had been good for the British press, on the basis that he had kept it alive and thriving at a point at which it could well have died (he suggests that The Times would likely have disappeared were it not for Murdoch). I think much of that may well be right - it is hard to see how the newspaper business could have survived, given the then-demands of the printers' unions, and Murdoch single-handedly changed that situation. But the daily printed word seems to have become much less trustworthy in the UK in a way in which, for example, the best newspapers elsewhere (NYT, WP, SZ, FAZ) have not. Even the WSJ, another paper which can be argued to have been Murdoch-rescued, has not succumbed. There just seems to be something about the British press in which I suspect Murdoch&family to have significant influence over content. The NHS is being slowly destroyed, I think, through successive poor policy and management over decades, and I think that state secondary school education has been on the down for decades. I had some hopes for the university system, which when I entered it was scholastic-inclined and elitist, with intake some very few percent of the population, and after some culture shock at entering a system which took some few percent of a very different population, came to see the enormous advantages of a higher-education system which addressed over 50% of school leavers (in universities and community colleges, in almost all of which one could do the first year or two of any university coursework at - then - no cost). So I had hopes, for a decade or two, for the English university system, but perceiving the conditions under which my English colleagues now work, and what has happened to courses and coursework and now student fees, I can't any longer say that I think things have improved. What I can say is that for younger academics at the start of their careers the system is still superior, more humane and more encouraging, than most or all of those in continental Europe, or even the US. So that remains a beacon of hope (sorry for the cliche). But for the general university situation, I can't see that privileged rich kids can have much personal insight into the matters that count: who should be going to university, why, and under what conditions. And without personal insight and experience, I don't see how one can distinguish policies that might work from those that won't. I can't see, for example, any 18 year old who has been trying to manage a couple of quid a week pocket money being able to make a well-informed decision that going into debt for £9,000 per year plus living expenses is going to be at all worth it for hisher future life. Maybe so for, say, law, microeconomics or engineering, but not for, say, Eng. lit., Latin&Greek, French lit., German lit., philosophy, or those other courses of study which one might imagine would give a future lawyer, politician or civil servant some perspective on the variety of life with which they will be dealing and train some important skills such as producing a coherent argument, and being able to write decently. In contrast, I *can* see that, very easily, for young Americans in the same position. Let me just say that money plays a different role there; enough that it was part of my culture shock when I got there. So what is significant in this scandal? 1. The extent to which it has become clear how Britain is run by elites, many of whom appear to move in the same social circles. At least Blair used to hob-nob with rock stars, most of which are self-made people who were not financially privileged when they started, and probably still remember what life was like with mum and dad trying to figure out if the family could afford to go on holiday that year, rather than what fun they used to have in the Bullingdon club. But one cannot imagine either him or Brown regularly lunching and partying with, say, the Gallagher brothers. 2. The extent to which it has become clear how British life is influenced by those elites. You'll find articles about Paris Hilton's, Lindsay Lohan's and Britney Spears's latest jaunts in the NYT also, but you will also find technical details of GE Boiling Water Reactors and why they are susceptible to this-and-that. The German press will point you to technical documents of the German regulator and safety watchdog available on the WWW. Whereas one will search the British press fruitlessly for any details concerning British nuclear power plants. 3. The extent to which the police appear to have been influenced by those elites. When I grew up, the bobby and the doctor were examples of public servants who performed useful functions largely independently of anything and anybody else (although of course there were always corrupt bobbies and incompetent doctors). Wednesday, I read through the Home Affairs Select Committee report and was astonished at the police behavior, which appears to be collusive to an extraordinary extent at the highest levels. But maybe those who have actually lived in Britain in the last two decades are less astonished? 4. The extent to which the old trope "I'm the top guy. I didn't know anything about what was going on lower down" is nowadays used as a *defence* of one's (in)actions. Thirty years ago, it was the major reason for *resigning*! (As indeed Yates and Stephenson have done - so it still is to some extent. And Hayman got hammered by the Home Affairs Select Committee when he tried to use it, so someone still remembers the "old days".) 5. I am, though, pleased to see the effectiveness of Select Committees. James Murdoch saying he had been advised by his consultants to tell the truth (oh, well, nice to know you get advice from wise people, Mr. Murdoch!). And two days later Crone and Myler contradicting his "defence" as in point 4. Indeed, it is hard to believe any business person agreeing to settle a privacy-invasion case for ten times the going rate (Mosley won £60,000 against the NOTW in court at about the same time, and even that was up to ten times the award of most successful privacy-invasion suits), plus full legal expenses, without asking why. I think that makes James Murdoch toast, business-wise, whatever the truth turns out to be. I suspect he may even have to work a little to stay out of jail, but see point 3 above. So even though they may be pocketing taxpayers' money to have their moats cleaned, some politicians are still able to do a decent job on *other people's misdemeanors*. 6. There are the kinds of things which either makes one regret that one didn't go into politics, or very relieved that one stayed out. The financial collapse three years ago (which, by the way, I though was brilliantly handled by Gordon Brown, alone amongst Western leaders). But there are also the kind of things which lead me to general despair. This is one of those. It's a "time to emigrate" moment. Except that I did, and now I'm running out of places. Canada? It's cold and there's that bully to the south. Australia? I'm not sure I have the energy to learn another new language. New Zealand? All those sheep! But I'd feel at home with the earthquakes. 7. Maybe it's time to form a new political party for those who work hard, pay their taxes, and expect them to go somewhere useful like health care, care of the elderly, education, effective oversight of finance and critical infrastructure, public transportation, and effective urban reinvigoration. (Germany at least gets the last two right.) Wait a minute! Didn't we have one of those? What happened to it? Peter Bernard Ladkin, Professor of Computer Networks and Distributed Systems, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de ------------------------------ Date: Tue, 19 Jul 2011 10:05:19 -0700 From: Ashish Gehani <gehani_at_private> Subject: Indian government uses Hotmail! This may be of interest to Risks readers: http://www.businessweek.com/news/2011-07-18/india-government-s-use-of-hotmail-gmail-recipe-for-disaster-.html [The outsourcees are outsourcers. Outsorcery is riskful. PGN] ------------------------------ Date: Tue, 19 Jul 2011 12:52:57 -0700 From: Gene Wirchenko <genew_at_private> Subject: Skype Vulnerability Jeremy Kirk, IDG News Service, InfoWorld Home, 15 Jul 2011 http://www.infoworld.com/d/networking/researchers-finds-dangerous-vulnerability-in-skype-138 Update: Researcher claims dangerous vulnerability in Skype. The flaw could allow an attacker to reset a Skype user's password and take control of their account A security consultant has notified Skype of a cross-site scripting flaw that could be used to change the password on someone's account, according to details posted online. Skype said it would issue a fix next week. ... [Fixed by now? PGN] ------------------------------ Date: Tue, 12 Jul 2011 2:28:35 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Booz Allen systems breached (Jason Ukman) Anonymous claims it obtained military data in breach of Booz Allen systems Jason Ukman, *The Washington Post*, 11 Jul 2011 <http://www.washingtonpost.com/jason-ukman/2011/03/02/ABr5GIQ_page.html> The hacker group that calls itself Anonymous claimed Monday that it had infiltrated the servers of Booz Allen Hamilton and obtained tens of thousands of e-mail addresses and other sensitive data for military personnel. In a new post on PirateBay, a site that hackers use to distribute vast caches of data, the group dubbed the leak Military Meltdown Monday. It claimed that it was surprisingly easy to hack into Booz's systems and secure -- 90,000 military emails and password hashes. The data appeared to include e-mail addresses, as well as encrypted versions of passwords. <http://thepiratebay.org/torrent/6533009> ``In this line of work you'd expect them to sail the seven proxseas with a state-of-the-art battleship, right?'', the Anonymous post said in describing the firm's network defenses. ``Well, you may be surprised as were when we found their vessel being a puny wooden barge.'' Asked for comment, a spokesman for Booz directed The Washington Post to a tweet by the company: ``As part of BoozAllen security policy, we generally do not comment on specific threats or actions taken against our system.'' <http://twitter.com/#%21/BoozAllen/status/90504500141506560> Because the passwords were encrypted, one of the greatest dangers of the leak may be that the e-mail addresses could be used to contact military personnel under false pretenses and lure them into revealing their unencrypted passwords. Booz, headquartered in Tysons Corner, is a major contractor for the Pentagon and Department of Homeland Security. Anonymous and its spin-off group, LulzSec, have claimed responsibility for a string of attacks against private firms and government agencies. Earlier this month, Anonymous claimed to have hacked the systems of a West Virginia-based IT security company and acquired data from the Army, the Navy, the Department of Justice and NASA. <http://www.washingtonpost.com/blogs/faster-forward/post/anonymous-releases-more-us-government-data-after-arrests/2011/07/08/gIQA7YAj3H_blog.html> ------------------------------ Date: Tue, 19 Jul 2011 12:48:52 -0700 From: Gene Wirchenko <genew_at_private> Subject: Do Not Track Not Being Followed (Grant Gross) Is anyone surprised about this? Grant Gross, IDG News Service, *InfoWorld*, 15 Jul 2011 Ad networks not honoring do-not-track promises Some NAI members continue to leave tracking cookies on computers of those who have opted out of targeted ads, a study says Some online advertising networks continue to track Web users after tracking opt-out requests, even though the networks have promised to honor those questions, according to a new study from Stanford University's Center for Internet Society. Eight members of the Network Advertising Initiative, a cooperative of online marketing and analytics companies, promise to stop tracking people who use the NAI's service to opt out of targeted advertising, but continue to leave tracking cookies on those people's computers, according to the study, published this week. ... [*The NY Times* has an article on 26 Jul 2011 on how the government is going after these folks. PGN] ------------------------------ Date: Wed, 13 Jul 2011 20:45:50 -0700 From: Mark Thorson <eee_at_private> Subject: Man gets 18-year sentence for harassing neighbor through Wi-Fi To get revenge on his neighbor, an ex-computer technician bought a Wi-Fi hacking program, broke into his neighbor's network, and carried on a 2-year campaign of harassment including making threats against vice-president Biden that the Secret Service traced to the neighbor's IP address. http://www.dailymail.co.uk/news/article-2014556 [I'm wondering what the program does that makes hacking a Wi-Fi network so easy. MT] [No surprise here. PGN] ------------------------------ Date: Wed, 20 Jul 2011 08:11:32 +0800 From: jidanni_at_private Subject: Let's hope their code stays closed! Smuggled out from a certain closed source project I help with: "...Welcome to the club :-) Had big issues reproducing it as well, but finally were able to by filling up my inbox with a bunch of fresh and unanswered requests. The problem was caused in the code part that is responsible for generating the expiring-request-warning-list in the side bar and started a chain-row-effect by crashing the translation engine which at the end of the chain scrambled the correct handing of interactions with the reply buttons. So this bug wasn't an issue for all the user base, just for the ones with a lot of unanswered requests. Cheers!" Let's hope their code stays closed. [or bombarded with requests? PGN] ------------------------------ Date: Tue, 26 Jul 2011 09:58:34 -0700 From: Rob Seaman <seaman_at_private> Subject: Decoupling Civil Timekeeping from Earth Rotation? This meeting announcement is about as broad a computing issue in its impact as any, and has received little attention outside of fields like astronomy in which an obvious Y2K-like crisis looms. Announcement for "Decoupling Civil Timekeeping from Earth Rotation" Exton, PA USA, 5-6 Oct 2011 Researchers and engineers have organized a meeting on the proposed redefinition of Coordinated Universal Time (UTC). Contributions are solicited: http://futureofutc.org/ There will be a final vote at the International Telecommunication Union assembly in Geneva in January 2012 whether to cease issuing leap seconds. This proposal has been discussed previously (e.g., RISKS 24.79 and 26.43), but no public meeting has been held since 2003. The agenda will focus on impacts of the change and possible engineering remediation strategies. For more details, the International Earth Rotation Service has = circulated the announcement: http://data.iers.org/products/2/14839/orig/message_191.txt There is a related article in the current issue of *American Scientist* http://www.americanscientist.org/issues/feature/2011/4/the-future-of-time-utc-and-the-leap-second (preprint: http://arxiv.org/pdf/1106.3141) With no leap seconds, UTC would no longer provide actual Universal Time. Systems that previously assumed UTC was UT, will need to distinguish the two by introducing the correction known as DUT1. While Systems that already include DUT1 will need to allow for it growing past the current 0.9s Y2K-like limit. The proposal also eliminates the current distribution scheme for DUT1. Rob Seaman, National Optical Astronomy Observatory, Tucson, AZ ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.50 ************************Received on Tue Jul 26 2011 - 13:28:19 PDT
This archive was generated by hypermail 2.2.0 : Tue Jul 26 2011 - 16:23:07 PDT