More detail on the brief item in RISKS-27.06. Gerry Bello and Bob Fitrakis, *Free Press* 2 Nov 2012 [excerpted from their website entry on this article on 5 Nov 2012. PGN] http://freepress.org/index2.php http://www.freepress.org/departments/display/19/2012/4768 *The Free Press confirms installation, secret justification of uncertified last minute election tabulation reporting software in Ohio* The Free Press has obtained internal memos from the senior staff of the Ohio Secretary of State's office confirming the installation of untested and uncertified election tabulation software. Yesterday, the Free Press reported that "experimental" software patches were installed on ES&S voting machines in 39 Ohio counties. (see Will "experimental" software patches affect the Ohio vote? <http://www.freepress.org/departments/display/19/2012/4766>). Election Counsel Brandi Laser Seske circulated a memo dated November 1st renewing the already shaky justification for installing software made by Election Systems and Solutions on vote tabulation equipment used in 39 Ohio counties. The letter to Ohio Secretary of State personnel Matt Masterson, Danielle Sellars, Myra Hawkins, Betsy Schuster, and Ohio's Director of Elections Matthew Damschroder, clarified the dubious justification for not complying with the legal requirements for the examination of all election related equipment. Seske begins by explaining what she purports to be the purpose of the software patch: "Its function is to aid in the reporting of results that are already uploaded into the county's system. The software formats results that have already been uploaded by the county into a format that can be read by the Secretary of State's election night reporting system." According to the contract between the Ohio Secretary of State's office and ES&S, this last minute "experimental" software update will supposedly transmit custom election night reports to the Secretary of State's office from the county boards of elections, bypassing the normal election night reporting methods. In order to justify this unusual parallel reporting method, Seske explains "It is not part of the certified Unity system, so it did not require federal testing." This attempt to skirt federal and state law from one of the most partisan Secretary of State offices in the nation ignores basic facts of how modern information systems function. Seske continues "Because the software is not 1) involved in the tabulation or casting of ballots (or in communicating between systems involved in the tabulation or casting of ballots) or 2) a modification to a certified system, the BVME [Board of Voting Machine Examiners] was not required to review the software." These claims are factually unsound. The software, although not communicating actual ballot information, facilitates communication between systems upon which votes are tabulated and stored. Although the software purports to not modify the tabulation system software, it is itself a modification to the whole tabulation system. This is why certification and testing is required in all cases. Just as in 2004, the Ohio Secretary of State's office has enabled the possibility of a "man in the middle" attack. This software, functioning on a network through which votes are transmitted could act to intercept, alter or destroy votes from counties where it is not even installed, hence the "man in the middle" nickname. On September 19, the last minute contract between ES&S and the Ohio Secretary of State's office was inked. Within a week, Seske wrote "He [Matt Masterson] has reviewed and approved the changes." Masterson is the Deputy Director of Elections. After Masterson's approval, Seske acted to bypass the Ohio Board of Voting Machine Examiners required review. "Pursuant to the board's policy, each change will be approved unless three members of the BVME request a meeting to review a change within 15 days of today's date. Given the proximately of the upcoming election, please let me know as soon as possible whether you will be requesting a meeting to review the changes," wrote Seske. Government reports such as Ohio's Everest study document that any single change to the system could corrupt the whole voting process. <http://www.sos.state.oh.us/sos/upload/everest/00-SecretarysEVERESTExecutiveReport.pdf> An unelected, partisan group of attorneys appears to have conspired to install election software without testing and certification that they are professionally unqualified to pass judgment upon. These types of last minute installations of software patches on voting machines are considered suspect by knowledgeable and experienced election protection attorneys, in light of all the voting machine irregularities exposed during the 2004 election in Ohio. /Gerry Bello is the chief researcher at the Columbus Free Press. He holds a degree in computer security from Antioch College. Bob Fitrakis is the Editor of the Free Press. He holds Ph.D. in Political Science and a J.D. from the Moritz College of Law at Ohio State University. [Here are just a few of the Recent Election Issues Articles noted on their website. The complete list is rather astounding, and not included here. Please see the freepress.com website if you are interested. PGN] Another Husted dirty trick in Ohio: Secretary of State's Office admits direct reporting function of untested election software </departments/display/19/2012/4779> November 5, 2012 / Gerry Bello and Bob Fitrakis/ OHIO ? VOTE HEIST 2012? </departments/display/19/2012/4780> November 5, 2012 / Ecological Options Network/ Invoices prove Romney-related voting company Hart InterCivic does maintenance on Cincinnati voting machines </departments/display/19/2012/4782> November 5, 2012 / Gerry Bello and Bob Fitrakis/ The electronic architecture of voter suppression </departments/display/19/2012/4777> November 4, 2012 / Gerry Bello and Bob Fitrakis/ As Ohio Faces vote-rigging lawsuit, are dems, liberals, election officials ready to safeguard votes? </departments/display/19/2012/4776> November 4, 2012 / Art Levine/ Busting Election Theft Attempts </departments/display/19/2012/4778> November 4, 2012 / Ecological Options Network/ Will Your Vote Even Get Counted? </departments/display/19/2012/4774> November 3, 2012 / Sheila Parks/ The Free Press confirms installation, secret justification of uncertified last minute election tabulation reporting software in Ohio </departments/display/19/2012/4768> November 2, 2012 / Gerry Bello and Bob Fitrakis/ Will "experimental" software patches affect the Ohio vote? </departments/display/19/2012/4766> October 31, 2012 / Bob Fitrakis and Gerry Bello/ Why we fight to prevent stolen elections in 2012 and beyond </departments/display/19/2012/4767> October 31, 2012 / Joan Brunwasser, Sally Castleman, Victoria Collier, Bob Fitrakis, Lori Grace, Emily Levy, Mark Crispin Miller, Greg Palast, Jonathan Simon and Harvey Wasserman/ Mike Connell: Man in the Middle </departments/display/19/2012/4765> October 30, 2012 / John Wellington Ennis/ Gripping documentary exposes voter suppression and election rigging in the 2004 presidential election </departments/display/19/2012/4764> October 29, 2012 / Roger Hill/ Thom Pintello: I Just Want My Vote to Count" </departments/display/19/2012/4761> October 27, 2012 / A short film by Dorothy Fadiman/ 1021 E. Broad St. Columbus, OH 43205 | 614.253.2571 | email@example.com <mailto:firstname.lastname@example.org>
Jeffrey Collins, Haley defends not encrypting taxpayer information, Augusta Chronicle via NNSquad, http://j.mp/WX2Qpn Up to 3.6 million returns from as far back as 1998 might have been compromised by the international hacker, who likely penetrated the [SC] Department of Revenue's system a month before the breach was detected by the U.S. Secret Service. "The industry standard is most Social Security numbers are not encrypted. A lot of banks don't encrypt," Haley said. "It's very complicated. It's very cumbersome. There's a lot of numbers involved with it."
http://j.mp/PmjziU (*The New York Times* via NNSquad) "Cellphone calls in the Northeast region were continuing to fail Wednesday because one-quarter of the transmission sites in areas ravaged by Hurricane Sandy were knocked out and many of those are not expected to come back online for several days at least, government officials said. " I frequently remind people thinking about going cell-only with no landlines, that cell service is usually the first to become overloaded and fail during major disasters. Microcell batteries often run out very quickly after power goes down, as well.
"The decision on what sites are to be banned will be enacted by the sinister-sounding Roskomnadzor (aka the Agency for the Supervision of Information Technology, Communications and Mass Media) and enforced with deep-packet inspection of all Internet traffic across the country, which must be reassuring for those using Russian cloud providers." http://j.mp/Wcfn9r (Register via NNSquad) Stalin Smiles.
[`colo' refers to colocation, not Colorado! Both may be risky? PGN] Matt Prigge, InfoWorld, 05 Nov 2012 http://www.infoworld.com/d/data-explosion/what-look-onsite-when-choosing-colo-facility-206320 What to look for onsite when choosing a colo facility Hurricane Sandy provides an excellent reminder that no matter how good a colo's facilities look on paper, careful attention to detail is critical to picking a good one interesting sentence: In one case, a data center literally had to run a manual bucket brigade to lift diesel fuel to roof-mounted generators because the fuel pumps in the sub-basement were submerged in flood water—an act that is nothing short of heroic.
"Not since the birth of the iPhone has the pay phone experienced such demand, thanks to Sandy. Natural disasters tend to vindicate the public pay phone. With their clunky bodies mounted high and sometimes behind glass stalls, they generally remain serviceable during power outages, even amid flooding. When times get tough, in fact, the biggest challenge is often keeping the devices free of coin overloads." http://j.mp/WbJON6 (Ben Cohen, *Wall Street Journal*, 31 Oct 2012, via NNSquad) It's worth noting that the push to eliminate POTS phone service—being lead by AT&T who wants everything to be VoIP (mainly to evade regulations on traditional phone service) could have enormous negative implications for emergency situations when cellular and Internet service fails. The reason most traditional POTS lines stay up is that they are connected by copper directly to the central office and powered from massive batteries there. There are critical public safety issues to be considered in this entire area.
They're coming out of the walls! DR commenters on hurricane Sandy. http://www.infoworld.com/d/data-center/after-hurricane-sandy-lessons-the-data-center-206304 Paul Venezia | InfoWorld, 05 Nov 2012 After Hurricane Sandy: Lessons for the data center You never want to say 'I told you so,' but now is a good time to bring up the need for better monitoring, backup power, and other improvements A commenter points out some generator failure modes and the difficulty in testing.
[NY Times explanation for Bellevue Hospital's shutdown] "After pumping out 17 million gallons of water from the basement, the water is still two and a half feet deep in the cavernous basement where the fuel pumps apparently shorted out and became inoperable - unable to feed the 13th-floor backup generators, [Health and Hospitals Corp - which runs Bellevue - President] Mr. Aviles said." http://www.nytimes.com/interactive/2012/10/28/nyregion/hurricane-sandy.html Bellevue Hospital is only about 20 feet above sea level, and hence the basement is below the water table. And requires sump pumps. I've never been able to verify the story, but supposedly back in the 1965 blackout a similar event happened. The backup generators kicked in, but the sump pumps weren't hooked into the emergency circuit so a few hours later, etc., etc. True, the initial surge from the hurricane brought a LOT of additional water inside, but once the tide was back to normal levels the levels should have been brought under control pretty soon.
"Tell me, Mr Weinstein, what good is your landline when you're unable to speak?" That is, I used to believe that myself, but over the years I've developed doubts. What you get * May or may not be a good old powered POTS circuit completely independent of the voice, data, and/or video fiberm and/or coax taken out by the disaster, * May or may not get taken out by the disaster that wiped out the above fiber/coax, * If still operational, may or may not be overloaded by all the emergency calls, * All that for a small price of a new ipad/year (assuming a private residence line after factoring in all the applicable taxes and fees as well as must-have "premium" services like unlisted number and call blocking to filter out the worst of the robo-calls). The tricky part about risk management is realizing that at some point you have to just let it go. Dimitri Maziuk, Programmer/sysadmin, BioMagResBank, UW-Madison http://www.bmrb.wisc.edu
[In my desire to get the previous issue out, I neglected to provide an adequate reference for the Simons/Jones CACM paper. Here it is, thanks to Monty. PGN] Barbara Simons, Douglas W. Jones Internet Voting in the U.S. Communications of the ACM, Vol. 55 No. 10, Pages 68-77 10.1145/2347736.2347754 October 2012 http://cacm.acm.org/magazines/2012/10/155536-internet-voting-in-the-us/fulltext http://cacm.acm.org/magazines/2012/10/155536-internet-voting-in-the-us/pdf
[From NNSquad] I just posted some video of a related event - a recent forum in NYC on the vulnerability of all e-voting systems to fraud. Some interesting stuff about a) ownership of the firms (some shady) that make/operate the systems, b) a general lack of oversight/ accountability, c) vulnerability to manipulation. According to two panelists, the MOVE Act's back end is now operated by a Spanish company. Several other countries, for instance Ireland, have dumped electronic voting entirely. <http://en.wikipedia.org/wiki/Military_and_Overseas_Voter_Empowerment_Act> <http://www.independent.ie/national-news/54m-voting-machines-scrapped-for-9-each-3153437.html>, Full Version http://www.youtube.com/watch?v=KAPqimT85o0 Highlights http://www.youtube.com/watch?v=ROftmMKkYbo
12th Annual Workshop on the Economics of Information Security June 11-12, 2013 Georgetown University, Washington DC http://weis2013.econinfosec.org/ CALL FOR PAPERS Information security continues to grow in importance, as threats proliferate, privacy erodes, and attackers evolve. Cybersecurity fears and privacy concerns dominate headlines. Yet the security of information systems depends on more than just technology. Good security requires an understanding of the incentives and tradeoffs inherent to the behavior of systems and organizations. As society's dependence on information technology has deepened, policy makers and business leaders have taken notice. Now more than ever, careful research is needed to accurately characterize threats and countermeasures, in both the public and private sectors. The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. Prior workshops have explored the role of incentives between attackers and defenders, identified market failures in Internet security, quantified risks of personal data disclosure, and assessed investments in cyber-defense. This workshop will build on past efforts using empirical and analytic tools to not only understand threats, but strengthen security and privacy through novel evaluations of available solutions. We encourage economists, computer scientists, business school researchers, law scholars, security and privacy specialists, as well as industry experts to submit their research and attend the Workshop. Suggested topics include (but are not limited to) empirical and theoretical economic studies of: - Optimal investment in information security - Measurement and modeling of online crime - Risk management and cyberinsurance - Security standards and government regulation - Privacy, confidentiality and anonymity - Behavioral security and privacy - Security metrics and organizational performance - Psychology of risk and security - Vulnerability discovery, disclosure, and patching - Cyberwar strategy and game theory - Incentives for information sharing, cooperation and coordination Of particular interest this year are papers that can address the global problems of cybersecurity policy, including international conflict and coordination, government regulation and private sector solutions. A selection of papers accepted to this workshop will appear in an edited volume aimed to offer insights to policy makers, managers and practitioners, as well as the larger academic community. Important Dates Submissions due February 25, 2013 Notification of Acceptance April 12, 2013 Workshop June 11-12, 2013 Submitted manuscripts should represent significant and novel research contributions. Please note that WEIS has no formal formatting guidelines. Previous contributors spanned fields from economics and psychology to computer science and law, each with different norms and expectations about manuscript length and formatting. For questions, please contact the program chair Allan Friedman at email@example.com [Thanks to Jeremy Epstein, who forwarded this to RISKS. He says, “I highly recommend this very interesting conference, now in its 11th year.'' PGN]
Please report problems with the web pages to the maintainer