Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
New Brennan Center study outlines how officials can cure election design defects, save votes Several hundred thousand votes lost from design flaws in recent elections: http://www.brennancenter.org/content/resource/study-design-flaws-contribute-to-hundreds-of-thousands-of-lost-votes-in-recent-elections.html BrennanCenter study http://ow.ly/cBYyB #votingrights DESIGN FLAWS CONTRIBUTE TO HUNDREDS OF THOUSANDS OF LOST VOTES IN RECENT ELECTIONS Report Details Major Ballot Design Problems, Proposes Non-Partisan Solutions Contact: Erik Opsal, email@example.com 1-646-292-8356 Design defects in ballots, voter instructions, and voting machines contributed to the loss of several hundred thousand votes in the most recent national elections, a new Brennan Center for Justice study found. http://www.brennancenter.org/content/resource/better_design_better_elections In addition, the report notes that in the 2008 and 2010 general elections combined, as many as 400,000 people had their absentee or provisional ballot rejected because they made technical mistakes completing forms or preparing and returning the envelope. Poor design increases the risk of lost or misrecorded votes among all voters, but the risk is even greater for particular groups, including low-income voters, and the elderly. The comprehensive study outlines simple measures election officials can take before November to cure design defects and ensure every voter can cast a ballot that counts. View a slideshow of design flaws and solutions in recent national elections. http://www.brennancenter.org/page/-/Democracy/VRE/Better_Design_Slideshow.pdf "In the age of smartphones and tablets, many have realized the importance of good design and usability, but American elections are still marred by major design problems, " said Lawrence Norden, deputy director of the Center's Democracy Program and co-author of Better Design, Better Elections. "The rise of absentee and provisional voting since 2000 has made ballot design in our elections even more important. If a voter takes the responsibility to vote, election officials must do everything in their power to make sure that vote counts." The Brennan Center's report details four design and usability problems in 2008 and 2010. Here are a few select examples: Problem 1: Ballot Layouts that Invite Overvotes or Undervotes * In East St. Louis, IL in 2008, the ballot design led 1 in 10 voters to skip the U.S. Senate contest by mistake because of an inadequate header identifying the race. More than twice as many votes were lost in East St. Louis than the rest of the state. The Brennan Center's revised ballot (page 17) could have saved many hundred votes. Problem 2: Poor Voter Instructions * In the governor's contest in Ohio in 2010, several counties reported unusually high numbers of voters selecting more than one candidate. The culprit appears to be the instructions, which state "select the set of joint candidates of your choice." In Cuyahoga County alone, more than 2,000 voters did not have their vote for governor counted because they selected more than one gubernatorial candidate. The Brennan Center's suggestion for revising the instruction appears on page 25. Problem 3: Unclear Voting Machine Messages * Tens of thousands of votes were not counted in 13 Florida counties in 2008 and in New York State in 2010 because of ineffective overvote warnings. If a voter selected too many candidates in a race, a confusing error message appeared. If the voter pressed the green "Accept" button, marked with a check, the ballot would be cast with the overvote, and the vote would be lost. The Brennan Center's suggested fixes appear on pages 27 and 28. Problem 4: Difficult Absentee and Provisional Ballot Envelopes * In Minnesota in 2008, nearly 4,000 absentee ballots were not counted because the envelope was not signed. Recognizing the problem, the Minnesota Secretary of State's office worked with design, usability, and plain language experts in 2009 and 2011 to improve the ballot envelope. The changes made to the envelope can be found on pages 31 and 33. "The design flaws that this report documents are not difficult or unknown problems," said Whitney Quesenbery, co-author of the report and a user experience researcher. "I hope that this stark evidence of lost votes inspires every election official to follow good design principles, and test their work to be sure that voters understand how to fill out forms and mark their ballots so their votes will be counted." As election officials finalize ballots and other election forms in the next several weeks, the Brennan Center's report recommends several simple measures that can be taken to ensure votes are counted accurately. Election officials should: 1. Review data on lost votes to determine what problems they may encounter in November. 2. Create a checklist of design best practices to make ballots and other election materials better organized and easily comprehensible. 3. Conduct usability testing to uncover potential problems that may arise. 4. Make voters aware of potential problems if those issues cannot be addressed before the election. The Center's study provides four case studies that demonstrate the powerful impact usability testing, voter education, and other corrective action before an election can have in reducing voter error in elections (beginning on page 36). For all the latest voting rights news, view the Brennan Center's Election 2012 page <http://www.brennancenter.org/content/election2012>. Brennan Center for Justice at NYU School of Law | 161 Avenue of the Americas, 12th Floor | New York, NY 10013 | 646.292.8310 phone | 212.463.7308 fax firstname.lastname@example.org Erik Opsal at email@example.com 646-292-8356. [See also http://www.nytimes.com/2012/08/01/us/voting-systems-plagues-go-far-beyond-identification.html]
Martha T. Moore, *USA Today*, 25 Jul 2012, via ACM TechNews Online voting systems set up by many states are vulnerable to hacking when they allow voters to return ballots online, via email, or Internet fax, according to a new report from the Verified Voting Foundation and Common Cause Education Fund. The report says all states should require overseas ballots to be mailed in because even faxed ballots cannot be independently audited. The report also rates states based on their ability to accurately count votes. The report found that Colorado, Delaware, Kansas, Louisiana, Mississippi, and South Carolina are the least prepared in terms of handling voter problems, while Minnesota, New Hampshire, Ohio, Vermont, and Wisconsin are the most prepared. "The security environment is not what it needs to be to cast ballots over the Internet," says the Common Cause's Voting Integrity Campaign's Sussanah Goodman. West Virginia launched a pilot program in 2010 to enable troops overseas to vote via a secure Web site. The program boosted voter participation for absentee ballots from 58 percent to 76 percent. http://www.usatoday.com/NEWS/usaedition/2012-07-25-State-Voting-study_ST_U.htm
Oakland's system is a special case because of bad design, but this points up the risks of all of the new digital trunked systems. Jaxon Van Derbeken <firstname.lastname@example.org>, *San Francisco Chronicle*, 25 Jul 2012 A major portion of Oakland's troubled police radio system failed shortly after President Obama's visit on 23 Jul 2012, leaving many of the 100 officers assigned to handle presidential security unable to communicate as protesters roamed the streets. "The guys downtown couldn't talk to one another," said Barry Donelan, head of the Oakland Police Officers Association. "It was a train wreck," said Lt. Fred Mestas, who was on duty downtown during and after Obama's speech at a fundraiser at the Fox Theater. Police said officers were suffering sporadic communications problems throughout the time Obama was inside the Fox on Telegraph Avenue, as well as before and afterward. At one point, Mestas said, officers couldn't talk to the Police Department's dispatch center. "That lasted about 30 minutes," Mestas said. "When you have the president there, 30 seconds is too long." Problems worsen The communications issues became severe around 10 p.m., about an hour after Obama left Oakland, city officials said. At that point, police were keeping an eye on demonstrators who had protested during Obama's visit and lingered after he left, occasionally blocking streets. The protests proved to be largely peaceful. "Any radio failure puts officers at risk, but this was a critical situation to provide safety and security for the president and the public," said Donelan, whose union has been outspoken about the radio system's problems. The year-old system has been plagued by breakdowns and dead zones that have left officers' digital radios prone to blackouts across the city and in most commercial buildings, including the basement of police headquarters. A city-hired consultant said last week that the system was not up to urban standards. Regional option The city has so far rejected joining forces with an Alameda-Contra Costa counties regional authority composed of 40 other police and firefighting agencies that is building its own radio system. City Administrator Deanna Santana said she needs to know more about the costs and benefits of the regional network before recommending to the City Council whether to drop Oakland's system. Oakland paid $18 million for the radio system when it became operational last year, largely using grant money. The city built it in consultation with the Richmond office of Dailey and Wells, the local representative for the radio system manufacturer, Harris Corp. of Florida. According to city officials, the problems Monday night were caused by the failure of a cooling unit used on a transmission tower at Gwin Reservoir in the Oakland hills. The tower overheated, causing "severe" communications problems after 10 p.m., said Sgt. Chris Bolton, chief of staff for Police Chief Howard Jordan. The problem was diagnosed by about 12:30 a.m. Tuesday. Fixed next day Karen Boyd, spokeswoman for the city, said the unit was less than 6 months old and that the vendor, Emerson Network Systems, "took full responsibility" for the breakdown. The cooling unit was replaced by midday, but service was not fully restored until about 6 p.m. Tuesday, Bolton said. In the meantime, officers in and around downtown continued to have communications problems. Bolton said he was on duty Monday night and was among those who had trouble contacting fellow officers. "Obviously, we want a reliable radio system," he said. Donelan called the police radio network "inadequate." "It's touch and go every day with this system," Donelan said. "It just happened that one of the antennas went down when the president of the United States was here." Regional system Bill McCammon, executive director of the regional authority building its own network, said city officials reached out to him the day after Obama's visit and want to meet next week about the interagency system, which will be fully functional in September. "We're eager to work with them," McCammon said. Pleasant Hill Police Chief Pete Dunbar, a former Oakland police officer who is on the regional system's board, said he hopes the episode will help persuade the city to join its neighbors' transmission network. "When you have the president of the United States in town and your system goes down," he said, "you wonder what could happen next." Dunbar added, "These stories (about failures) go on and on. But for the grace of God, nobody has gotten hurt. But if you keep this up, it's just a matter of time." http://www.sfgate.com/default/article/Oakland-police-radios-fail-during-Obama-visit-3736022.php
(Jon Brodkin) Spammers used stolen password to access list of Dropbox user e-mails. Jon Brodkin, Ars Technica, 31 Jul 2012 A couple of weeks ago Dropbox hired some "outside experts" to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses. In an explanatory blog post, Dropbox today said a stolen password was "used to access an employee Dropbox account containing a project document with user email addresses." Hackers apparently started spamming those addresses, although there's no indication that user passwords were revealed as well. Some Dropbox customer accounts were hacked too, but this was apparently an unrelated matter. "Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts," the company said. Dropbox noted that users should set up different passwords for different sites. The site is also upping its own security measures. In a few weeks, Dropbox said it will start offering an optional two-factor authentication service. This could involve users logging in with a password as well as a temporary code sent to their phones. ... http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/
(Dan Goodin) Dan Goodin, Ars Technica, 31 Jul 2012 Cloud-based service requires an average of 12 hours to decrypt VPN traffic. Researchers have devised an attack against a Microsoft-developed authentication scheme that makes it trivial to break the encryption used by hundreds of anonymity and security services, including the iPredator virtual private network offered to users of The Pirate Bay. The attack, unveiled by Moxie Marlinspike and David Hulton, takes on average just 12 hours to recover the secret key that iPredator and more than 100 other VPN and wireless products use to encrypt sensitive data. The technique, which has been folded into Marlinspike's CloudCracker service, exploits weaknesses in version 2 of a Microsoft technology known as MS-CHAP, short for Microsoft challenge-handshake authentication protocol. It's widely used to log users into VPN and WPA2 networks and is built into a variety of operating systems, including Windows and Ubuntu. ... http://arstechnica.com/security/2012/07/broken-microsoft-sheme-exposes-traffic/
Woody Leonhard, *InfoWorld*, 30 Jul 2012 Microsoft hits Java where it hurts Microsoft security researcher warns of deteriorating situation with Java—and not just on Windows. Continuing to use Java puts your company and clients at risk http://www.infoworld.com/t/java-programming/microsoft-hits-java-where-it-hurts-198936
"Researchers have devised an attack against a Microsoft-developed authentication scheme that makes it trivial to break the encryption used by hundreds of anonymity and security services, including the iPredator virtual private network offered to users of The Pirate Bay. The attack, unveiled by Moxie Marlinspike and David Hulton, takes on average just 12 hours to recover the secret key that iPredator and more than 100 other VPN and wireless products use to encrypt sensitive data. The technique, which has been folded into Marlinspike's CloudCracker service, exploits weaknesses in version 2 of a Microsoft technology known as MS-CHAP, short for Microsoft challenge-handshake authentication protocol. It's widely used to log users into VPN and WPA2 networks and is built into a variety of operating systems, including Windows and Ubuntu." http://j.mp/NHKPb0 (ars technica via NNSquad)
http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ "Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group. Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing... The web does not need yet another security framework. It needs simple, well-defined, and narrowly suited protocols that will lead to improved security and increased interoperability. OAuth 2.0 fails to accomplish anything meaningful over the protocol it seeks to replace... I failed. We failed."
(Mark Piesing) Despite staged malware attack seven months ago, one in four HP laser jet printers still have default password settings Mark Piesing, guardian.co.uk, 23 July 2012 http://www.guardian.co.uk/technology/2012/jul/23/hacking-attack-printers
General warns of dramatic increase in cyber-attacks on U.S. firms http://j.mp/MKPKbt (L.A. Times via NNSquad) "Alexander said the military had yet to work out rules of engagement for responding to cyber-attacks, and he pointed out that neither of his agencies have the authority to defend against a cyber-attack on a private company, even if that company owns crucial infrastructure. The pending bill would fix that, he said. Some business groups oppose the bill as intrusive, and some civil liberties groups say it compromises privacy. Alexander pointedly refused to comment on Stuxnet, a cyber-attack on Iran's nuclear enrichment facilities that has been reported to have been the work of the U.S. and Israeli intelligence. He also pushed back against the notion that the uptick in attacks on the U.S. is related to Stuxnet, which was first discovered in June 2010." There are indeed genuine cybersecurity concerns. But this legislative campaign by Alexander et al. is mostly F.U.D.
(Dan Gillmor) "When Skype became popular just under a decade ago, I repeatedly asked the company a question that I considered crucial. The online calling and messaging service encrypted users' communications, and it was based outside the United States. But the encryption methods were kept secret, so outside researchers couldn't verify their quality - a technique that experts in the field sometimes deride as "security through obscurity" - and I wanted to know whether Skype had a software backdoor that it or anyone else could use to listen into users' calls." http://j.mp/OnbREn (Dan Gillmor, Guardian via NNSquad) [Skype Hype abounds hyperbolically, especially where host systems are compromisable. PGN]
http://j.mp/PWZC09 (BetaBeat via NNSquad) "Early this morning, a pro-WikiLeaks op-ed purporting to be penned by former *New York Times* executive editor Bill Keller cropped up online. It was a stunningly convincing piece of web fraud, its design practically identical to the New York Times's own homepage, with every link leading to an actual Times article or section. The only hint that it wasn't real was the URL: instead of showing as nytimes.com/pages/opinion, it read "opinion-nytimes.com." It's a tiny difference, but a monumentally important one."
Brandon Butler, London Olympics could strain enterprise networks, 30 Jul 2012 http://www.itbusiness.ca/IT/client/en/CDN/News.asp?idh406 first and last paragraphs: It didn't take long to see the first signs of strain on communication networks at the Olympics when overloaded infrastructure on the first day of competition caused organizers to request that spectators scale back their use of Twitter for "non-urgent" messages, according to Reuters. And finally, he says, a lesson from the Olympics issue is that you can't blindly rely on your partners. The issue over the weekend, he notes, was likely caused not only by the Olympics network infrastructure having issues, but also from third-party telecommunications systems that may have been overloaded. If an enterprise is relying on a partner or vendor to supply a networking service, make sure the provider is putting controls into place to handle unexpected issues that may arise as well. [Watch out when you out-source?]
http://j.mp/MNF2kh (Reuters via NNSquad) "Sports fans attending the London Olympics were told on Sunday to avoid non-urgent text messages and tweets during events because overloading of data networks was affecting television coverage."
Such problems are not unique to Arabic signs on buses, of course. A recent TV show had a gravestone with the Hebrew letters arranged in reverse order (the letters themselves were not mirror images). The result of the automated translation was a tombstone reading "pickled at great expense" rather than "dearly missed". If the producers of the show had checked with a native speaker of the language, one would assume s/he would point out the error. As PGN might no doubt comment, this left viewers in a pickle as to the message being sent. http://www.guardian.co.uk/world/shortcuts/2012/jun/17/bbc-comedy-episodes-viral-in-israel
As was clearly depicted last night in the Opening Ceremony of the [...] Olympics in London ... "All partygoers were invited back to the house where Tim Berners-Lee, the Briton who invented the World Wide Web, was at his keyboard. When the house was lifted there was the man himself. And a huge illuminated black and white sign announced "This is for everyone." http://www.dailymail.co.uk/news/article-2179920/Olympics-Opening-Ceremony-London-gets-2012-Games-way-Greatest-Show-On-Earth-rounded-Macca-course.html End of argument. [NOTE: I DELETED the 3-X roman numerals of the Olympics to avoid this issue being filtered/blocked/censored.]
[via Dave Farber's IP distribution] Government funded research and procurement played a major role before, during and subsequent to the "invention" of the Internet. Furthermore, we got an incalculable return on a very small investment. I summarized some of the background in a 1996 CACM article "Seeding Networks: the Federal Role," (http://som.csudh.edu/fac/** lpress/articles/govt.htm <http://som.csudh.edu/fac/lpress/articles/govt.htm> ). Here are some costs from that article ($millions): Morse Telegraph .03 Smithsonian ARPANET 25  CSNET 5  NSFNET Backbone 57.9  NSF Higher-ed connections 30 Dave Staudt, NSF NSF International connections 6.6 Steve Goldstein, NSF In a companion article, published in CACM in 1993, I talked about things done at PARC and other places. The article is called "Before the Altair -- the History of Personal Computing," and its at: http://som.csudh.edu/fac/** lpress/articles/hist.htm <http://som.csudh.edu/fac/lpress/articles/hist.htm>
Please report problems with the web pages to the maintainer