RISKS-LIST: Risks-Forum Digest Weds 21 November 2012 Volume 27 : Issue 09 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.09.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Future of Federal Cybersecurity R&D Strategies Webcast (Jeremy Epstein) Largest identity theft ever? (Mark Thorson) Largest U.S. identity theft ever? (Mark Thorson) Two items of potential interest on the 2012 election (Thom Hartmann/Sam Sacks) ORCA, Mitt Romney's high-tech get-out-the-vote program, crashed on Election Day (Michael Kranish via Monty Solomon) "Unleashed! Project Orca, the campaign killer whale" (Robert X. Cringely via Gene Wirchenko) Security issues threaten to derail tablet voting (Rebecca Mercuri) Estonia: WNYC's On the Media (E. John Sebes) Scientists Find Cheaper Way to Ensure Internet Security (John Markoff) Consequences of Facebook photo misidentification (Ken Olthoff via PGN) Android flaw blocks December dates (Mark J Bennison) Big Data and Europe's "Right to be Forgotten" (Lauren Weinstein) Bloomberg news: Why Cell Phones Went Dead After Hurricane Sandy (Susan Crawford via Dave Farber) Less privacy protection for IMAP users (Steven J Klein) Privacy and surveillance (Steve Summit) "Unlocking the brilliance in high tech" (Gene Wirchenko) Re: Summary of my experiences on the election (Richard S. Russell) 2012 Layered Assurance Workshop (LAW) Final Program (Rance DeLong) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 21 Nov 2012 21:49:59 -0500 From: Jeremy Epstein <jeremy.j.epstein_at_private> Subject: Future of Federal Cybersecurity R&D Strategies Webcast Future of Federal Cybersecurity R&D Strategies Webcast When: Tuesday, 27 Nov 2012 Time: 1:00pm-3:00pm EST Webcast link: http://www.tvworldwide.com/events/nsf/121127/ Join a webcast of the Federal government's cybersecurity research and development strategies. Senior Federal representatives will review Government activities in implementing the Federal cybersecurity R&D strategic plan and discuss emerging areas in cybersecurity research that may warrant further focus. The webcast session is part of the National Science Foundation's Secure and Trustworthy Cyberspace Conference. Additional information about the conference is available at http://cps-vo.org/group/satc ------------------------------ Date: Tue, 20 Nov 2012 15:09:47 -0800 From: Mark Thorson <eee_at_private> Subject: Largest identity theft ever? Man arrested for theft of "9 million files" said to comprise identity data for roughly 2/3 of the Greek population. http://www.thestar.com/news/world/article/1290410 I suppose this is the inevitable result of organizations that aggregate such massive quantities of data combined with technology that allows it all to fit on a tiny USB stick. Sooner or later, all of the data anyone might care about will fit on such a stick, including every private e-mail you've ever sent via cloud-based services and every embarrassing private photo you've ever uploaded to a personal profile. ------------------------------ Date: Wed, 21 Nov 2012 13:01:32 -0800 From: Mark Thorson <eee_at_private> Subject: Largest U.S. identity theft ever? 3.8 million tax returns stolen by phishing attack against the state of South Carolina. http://openchannel.nbcnews.com/_news/2012/11/20/15313720-one-email-exposes-millions-of-people-to-data-theft-in-south-carolina-cyberattack?lite ------------------------------ Date: Tue, 20 Nov 2012 15:37:18 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Two items of potential interest on the 2012 election 1. Anonymous, Karl Rove, and 2012 Election Fix? http://truth-out.org/news/item/12845-anonymous-karl-rove-and-2012-election-fix Thom Hartmann and Sam Sacks, The Daily Take: Unless Anonymous presents evidence to support its claims that Rove planned to steal the presidential election for the GOP, its work will be relegated to the status of Internet antics -- and the dustbins of history. 2. Why Anonymous' Claims about Election-Rigging Can't Be Ignored http://truth-out.org/news/item/12871-why-anonymous-claims-about-election-rigging-cant-be-ignored Thom Hartmann and Sam Sacks, The Daily Take: Given historical trends, why is it inconceivable to some that Karl Rove may have tried to electronically rig the election of 2012 in three states? ------------------------------ Date: Sun, 11 Nov 2012 16:10:30 -0500 From: Monty Solomon <monty_at_private> Subject: ORCA, Mitt Romney's high-tech get-out-the-vote program, crashed on Election Day (Michael Kranish) Michael Kranish, *The Boston Globe*, 2 Nov 2012 Mitt Romney's online voter-turnout operation suffered a meltdown on Election Day, resulting in a crucial 90-minute "buckling" of the system in Boston and the inability of some campaign workers across the country to use a vital smartphone program, according to campaign officials and volunteers. Code-named ORCA, the program was kept secret until just before the election in order to prevent hacking of the system. It was then trumpeted by Romney's aides as an unrivaled high-tech means of communicating with more than 30,000 field workers who were stationed at polling places on Election Day. Those volunteers were supposed to track who voted and to alert Boston headquarters if turnout was lower than expected at key precincts. But at Boston's TD Garden, where 800 Romney workers were staffing phones and computers in coordination with the field workers to oversee the turnout, the surge in traffic was so great that the system didn't work for 90 minutes, causing panic as staffers frantically tried to restore service. Some campaign workers also reported that they had incorrect PINS and had not been informed that they needed certification to work at polling places. ... http://www.boston.com/news/politics/2012/president/candidates/romney/2012/11/10/orca-mitt-romney-high-tech-get-out-the-vote-program-crashed-election-day/gflS8VkzDcJcXCrHoV0nsI/singlepage.html ------------------------------ Date: Sun, 11 Nov 2012 18:39:59 -0800 From: Gene Wirchenko <genew_at_private> Subject: "Unleashed! Project Orca, the campaign killer whale" (Cringely) Robert X. Cringely, *InfoWorld*, 09 Nov 2012 Unleashed! Project Orca, the campaign killer whale Big data fails big time for the Romney camp as its smartphone app crashes spectacularly, right on schedule for Election Day http://www.infoworld.com/t/cringely/unleashed-project-orca-the-campaign-killer-whale-206782 ------------------------------ Date: Tue, 06 Nov 2012 13:46:07 -0500 From: Rebecca Mercuri <notable_at_private> Subject: Security issues threaten to derail tablet voting [My apologies to Rebecca Mercuri. Seh sent me this item just *before* the election, and I requeued it to RISKS for the post-election issue -- but somehow it fell through the crack. However, it is still very timely. PGN] http://tabtimes.com/feature/government/2012/11/05/security-issues-threaten-derail-rise-tablet-voting This interview was done a while ago, but they apparently held the article for publication immediately prior to the election. A few of my quotes sounded even more pithy given the e-mail and fax voting options in NJ. [For example, see Andrew Appel's Freedom-to-Tinker item in RISKS-27.06. PGN] Incidentally, *everyone* in NJ could have availed themselves of paper ballot voting if they had registered as permanent absentees (no reason needed). It's an easy form, and every year, like clockwork, your ballot shows up to fill out and send back (or drop off at the County Board of Elections). No polls, no lines, no waiting. And indeed, these are the only voter-verified records available for hand-recounts in the Garden State. ------------------------------ Date: Mon, 12 Nov 2012 10:08:39 -0800 From: "E. John Sebes" <jsebes_at_private> Subject: WNYC's On the Media 3 reasons why Estonia's e-voting is irrelevant to the U.S. 1) Estonia has a national ID system that enables strong authentication of online citizen/gov't transactions. U.S. has no prospect of a national ID system, and no state has a state ID system that supports online transactions. 2) Estonia's elections are administered by the Federal government. U.S. elections are administered locally. 3) Even with much federal funding for a central I.T. system for i-voting, the result was a system with low software integrity and lax datacenter operations that were given a "gentleman's C-" by independent review by OSCE. In the less polite U.S., that grade would have been an "F". Instead of saying "If it works in Estonia, why can't it work in the U.S?" the question is "If it did not work in Estonia, why would you think it would work for each of the thousands of U.S. local elections?" ------------------------------ Date: Wed, 21 Nov 2012 20:56:55 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Scientists Find Cheaper Way to Ensure Internet Security (John Markoff) John Markoff, *The New York Times*, 20 Nov 2012, Scientists at Toshiba and Cambridge University have perfected a technique that offers a less expensive way to ensure the security of the high-speed fiber optic cables that are the backbone of the modern Internet. http://www.nytimes.com/2012/11/20/technology/fiber-optic-breakthrough-to-improve-internet-security-cheaply.html The research, which will be published Tuesday in the science journal Physical Review X, describes a technique for making infinitesimally short time measurements needed to capture pulses of quantum light hidden in streams of billions of photons transmitted each second in data networks. Scientists used an advanced photodetector to extract weak photons from the torrents of light pulses carried by fiber optic cables, making it possible to safely distribute secret keys necessary to scramble data over distances up to 56 miles. Such data scrambling systems will most likely be used first for government communications systems for national security. But they will also be valuable for protecting financial data and ultimately all information transmitted over the Internet. The approach is based on quantum physics, which offers the ability to exchange information in a way that the act of eavesdropping on the communication would be immediately apparent. The achievement requires the ability to reliably measure a remarkably small window of time to capture a pulse of light, in this case lasting just 50 picoseconds -- the time it takes light to travel 15 millimeters. ... [I'm very fond of David Wagner's comment to the effect that quantum cryptography takes money that people don't have to solve a problem they don't have. PGN] ------------------------------ Date: Thu, 15 Nov 2012 10:24:19 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Consequences of Facebook photo misidentification [Thanks to Kenneth Olthoff for spotting this one. PGN] If you thought that embarrassing photos from a party where you had one too many were a problem on Facebook, here's one from the BBC about the face of the "martyr" that was the wrong person's photo. It led to the woman whose photo was mistakenly used having to flee her country. http://www.bbc.co.uk/news/magazine-20267989 ------------------------------ Date: Mon, 19 Nov 2012 12:32:46 +0000 From: "Mark J Bennison (UK)" <mark.m.bennison_at_mbda-systems.com> Subject: Android flaw blocks December dates The People app calendar goes from November 2012 to January 2013, and completely omits December. The People app is the default app for contact info on Androids. http://www.bbc.co.uk/news/technology-20392386 [The Androgrinch stole Christmas? PGN] ------------------------------ Date: Tue, 20 Nov 2012 21:58:35 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Big Data and Europe's "Right to be Forgotten" Will Big Data sink Europe's nightmarish "Right to be Forgotten" concept? Let's hope so! http://j.mp/SdluF1 (GigaOM via NNSquad) "A report by Europe's cybersecurity agency points out several flaws with the proposed 'right to be forgotten'. A big one has to do with the challenges presented by the increasing use of aggregated data." Good. Very good. Excellent. Just about anything that helps to kill off the nightmarish Right to Be Forgotten concept is welcome. Background reading on this issue: "The 'Right to Be Forgotten'. A Threat We Dare Not Forget": http://bit.ly/yk8t7m (Lauren's Blog) ------------------------------ Date: Fri, 16 Nov 2012 20:29:07 -0500 From: Dave Farber <dave_at_private> Subject: Bloomberg news: Why Cell Phones Went Dead After Hurricane Sandy by Susan Crawford After Hurricane Sandy, survivors needed, in addition to safety and power, the ability to communicate. Yet in parts of New York City, mobile communications services were knocked out for days. The problem? The companies that provide them had successfully resisted Federal Communications Commission calls to make emergency preparations, leaving New Yorkers to rely on the carriers' voluntary efforts. http://bloom.bg/QK5ZYd Susan Crawford is a monthly columnist for Bloomberg View. She is a visiting professor at Harvard's Kennedy School of Government and at Harvard Law School. [This is a long item from Dave Farber's IP distribution, truncated for RISKS, but worth pursuing. It generated extensive comments that are included at the above URL. PGN] Contacts: Susan P. Crawford at scrawford_at_private or @scrawford <https://twitter.com/scrawford> on Twitter. ------------------------------ Date: Wed, 14 Nov 2012 17:55:59 -0500 From: Steven J Klein <steven_at_private> Subject: Less privacy protection for IMAP users In the US, e-mail privacy is protected by the Electronic Communications Privacy Act. The law, passed in 1986, requires that law enforcement officials obtain a warrant to intercept & read private e-mail. But the law has a critical flaw: It treats e-mail left on third-party servers for 180 days as =93abandoned.=94 All that=92s necessary for the government to get copies of those older messages is for a prosecutor to request them. Now that IMAP and web-based mail is commonplace, many people use mail servers for permanent storage of old messages. I doubt the average gmail user considers his old messages as abandoned. Apparently this loophole played a role in the recent investigation of CIA director General Petraeus. A coalition of e-mail service providers is seeking a revision of the law to treat messages in the cloud the same as messages stored on a home computer. The Obama administration opposes the change. ------------------------------ Date: Wed, 14 Nov 2012 02:26:21 -0800 From: scs_at_private (Steve Summit) Subject: Privacy and surveillance Good *NYT* article on the conflicting goals of investigating harassment or security breaches, versus respecting people's privacy. "The F.B.I. investigation that toppled the director of the C.I.A. [...] underscores a danger that civil libertarians have long warned about: that in policing the Web for crime, espionage and sabotage, government investigators will unavoidably invade the private lives of Americans." "What began as a private, and far from momentous, conflict between two women [...] has had incalculable public costs." http://www.nytimes.com/2012/11/14/us/david-petraeus-case-raises-concerns-about-americans-privacy.html&emc=eta1 ------------------------------ Date: Mon, 12 Nov 2012 09:27:23 -0800 From: Gene Wirchenko <genew_at_private> Subject: "Unlocking the brilliance in high tech" http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=69298 Unlocking the brilliance in high tech Author describes her journey in the male dominated engineering trade 11/10/2012 5:09:00 PM By: Christine Wong This article is mainly about how one woman got going in engineering, but then gets into a risk of not having more women in the field. "Examples in her book include the fact that voice recognition software and car air bags weren't originally designed with female users in mind, an oversight that had disastrous results in the former case and life threateningly dangerous consequences in the latter." ------------------------------ Date: Sun, 11 Nov 2012 22:59:45 -0600 From: "Richard S. Russell" <richardsrussell_at_private> Subject: Re: Summary of my experiences on the election (Re: Jones, R-27.08) > From: "Jones, Douglas W" <douglas-w-jones_at_private> > In my opinion, Florida's legislature can make several changes to address > these problems... There are 2 halves to this idea. The good half is for the long form to contain all the legalese, the official language that actually accomplishes something, with the short form containing the PR version that conveys a layperson's interpretation of the measure. The bad half is letting the proponents compose the PR version. This is likely to lead to things like "Little pig-tailed girls love kitties and rainbows and butterflies, and isn't that wonderful?", regardless of what the measure actually accomplishes. Its proposers will naturally skew the interpretation to be as favorable as possible toward the outcome they desire. Here in Wisconsin the short-form wording is composed by the non-partisan Legislative Reference Bureau, and this seems to have been satisfactory, although we haven't had such issues with nearly the frequency of other states. On a related matter, I muse that sooner or later some jurisdiction will try on-line voting, some 13-year-old computer whiz will hack the system to get himself elected mayor or governor, and that'll be the end of that. Richard S. Russell, a Bright (http://the-brights.net) 2642 Kendall Av. #2, Madison WI 53705-3736 608+233-5640 =95 RichardSRussell_at_private http://richardsrussell.livejournal.com/ ------------------------------ Date: Wed, 21 Nov 2012 10:17:37 -0800 From: Rance DeLong <rdelong_at_private> Subject: 2012 Layered Assurance Workshop (LAW) Final Program The Sixth Layered Assurance Workshop (LAW) co-located with the 28th Annual Computer Security Applications Conference (ACSAC 2012) Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA 3-4 December 2012 http://www.acsac.org/2012/workshops/law/ The Layered Assurance Workshop is just twelve days away. The final LAW program is available at the link above. See the program for the interesting panels and papers. Registration for LAW may be accomplished through the ACSAC registration page at http://www.acsac.org. We look forward to your participation. Rance J. DeLong, Workshop Chair [Disclaimer: I'll be participating in both LAW2012 and ACSAC. Both very worthy meetings. PGN] ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.09 ************************Received on Wed Nov 21 2012 - 21:36:10 PST
This archive was generated by hypermail 2.2.0 : Wed Nov 21 2012 - 22:28:21 PST