The RISKS Digest
Volume 27 Issue 09

Wednesday, 21st November 2012

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Future of Federal Cybersecurity R&D Strategies Webcast
Jeremy Epstein
Largest identity theft ever?
Mark Thorson
Largest U.S. identity theft ever?
Mark Thorson
Two items of potential interest on the 2012 election
Thom Hartmann/Sam Sacks
ORCA, Mitt Romney's high-tech get-out-the-vote program, crashed on Election Day
Michael Kranish via Monty Solomon
"Unleashed! Project Orca, the campaign killer whale"
Robert X. Cringely via Gene Wirchenko
Security issues threaten to derail tablet voting
Rebecca Mercuri
Estonia: WNYC's On the Media
E. John Sebes
Scientists Find Cheaper Way to Ensure Internet Security
John Markoff
Consequences of Facebook photo misidentification
Ken Olthoff via PGN
Android flaw blocks December dates
Mark J Bennison
Big Data and Europe's "Right to be Forgotten"
Lauren Weinstein
Bloomberg news: Why Cell Phones Went Dead After Hurricane Sandy
Susan Crawford via Dave Farber
Less privacy protection for IMAP users
Steven J Klein
Privacy and surveillance
Steve Summit
"Unlocking the brilliance in high tech"
Gene Wirchenko
Re: Summary of my experiences on the election
Richard S. Russell
2012 Layered Assurance Workshop (LAW) Final Program
Rance DeLong
Info on RISKS (comp.risks)

Future of Federal Cybersecurity R&D Strategies Webcast

Jeremy Epstein <>
Wed, 21 Nov 2012 21:49:59 -0500
  Future of Federal Cybersecurity R&D Strategies Webcast
  When: Tuesday, 27 Nov 2012
  Time: 1:00pm-3:00pm EST
  Webcast link:

Join a webcast of the Federal government's cybersecurity research and
development strategies.  Senior Federal representatives will review
Government activities in implementing the Federal cybersecurity R&D
strategic plan and discuss emerging areas in cybersecurity research that may
warrant further focus. The webcast session is part of the National Science
Foundation's Secure and Trustworthy Cyberspace Conference.  Additional
information about the conference is available at

Largest identity theft ever?

Mark Thorson <>
Tue, 20 Nov 2012 15:09:47 -0800
Man arrested for theft of "9 million files" said to comprise identity data
for roughly 2/3 of the Greek population.

I suppose this is the inevitable result of organizations that aggregate such
massive quantities of data combined with technology that allows it all to
fit on a tiny USB stick.  Sooner or later, all of the data anyone might care
about will fit on such a stick, including every private e-mail you've ever
sent via cloud-based services and every embarrassing private photo you've
ever uploaded to a personal profile.

Largest U.S. identity theft ever?

Mark Thorson <>
Wed, 21 Nov 2012 13:01:32 -0800
3.8 million tax returns stolen by phishing attack against
the state of South Carolina.

Two items of potential interest on the 2012 election

"Peter G. Neumann" <>
Tue, 20 Nov 2012 15:37:18 PST
1. Anonymous, Karl Rove, and 2012 Election Fix?
Thom Hartmann and Sam Sacks, The Daily Take: Unless Anonymous presents
evidence to support its claims that Rove planned to steal the presidential
election for the GOP, its work will be relegated to the status of Internet
antics—and the dustbins of history.

2. Why Anonymous' Claims about Election-Rigging Can't Be Ignored
Thom Hartmann and Sam Sacks, The Daily Take: Given historical trends, why is
it inconceivable to some that Karl Rove may have tried to electronically rig
the election of 2012 in three states?

ORCA, Mitt Romney's high-tech get-out-the-vote program, crashed on Election Day (Michael Kranish)

Monty Solomon <>
Sun, 11 Nov 2012 16:10:30 -0500
Michael Kranish, *The Boston Globe*, 2 Nov 2012

Mitt Romney's online voter-turnout operation suffered a meltdown on Election
Day, resulting in a crucial 90-minute "buckling" of the system in Boston and
the inability of some campaign workers across the country to use a vital
smartphone program, according to campaign officials and volunteers.

Code-named ORCA, the program was kept secret until just before the election
in order to prevent hacking of the system. It was then trumpeted by Romney's
aides as an unrivaled high-tech means of communicating with more than 30,000
field workers who were stationed at polling places on Election Day. Those
volunteers were supposed to track who voted and to alert Boston headquarters
if turnout was lower than expected at key precincts.

But at Boston's TD Garden, where 800 Romney workers were staffing phones and
computers in coordination with the field workers to oversee the turnout, the
surge in traffic was so great that the system didn't work for 90 minutes,
causing panic as staffers frantically tried to restore service. Some
campaign workers also reported that they had incorrect PINS and had not been
informed that they needed certification to work at polling places. ...

"Unleashed! Project Orca, the campaign killer whale" (Cringely)

Gene Wirchenko <>
Sun, 11 Nov 2012 18:39:59 -0800
Robert X. Cringely, *InfoWorld*, 09 Nov 2012
Unleashed! Project Orca, the campaign killer whale
Big data fails big time for the Romney camp as its smartphone app
crashes spectacularly, right on schedule for Election Day

Security issues threaten to derail tablet voting

Rebecca Mercuri <>
Tue, 06 Nov 2012 13:46:07 -0500
  [My apologies to Rebecca Mercuri.  Seh sent me this item just *before* the
  election, and I requeued it to RISKS for the post-election issue—but
  somehow it fell through the crack.  However, it is still very timely.  PGN]

This interview was done a while ago, but they apparently held the article
for publication immediately prior to the election. A few of my quotes
sounded even more pithy given the e-mail and fax voting options in NJ.

  [For example, see Andrew Appel's Freedom-to-Tinker item in RISKS-27.06.

Incidentally, *everyone* in NJ could have availed themselves of paper ballot
voting if they had registered as permanent absentees (no reason needed).
It's an easy form, and every year, like clockwork, your ballot shows up to
fill out and send back (or drop off at the County Board of Elections).  No
polls, no lines, no waiting.  And indeed, these are the only voter-verified
records available for hand-recounts in the Garden State.

WNYC's On the Media

"E. John Sebes" <>
Mon, 12 Nov 2012 10:08:39 -0800
3 reasons why Estonia's e-voting is irrelevant to the U.S.

1) Estonia has a national ID system that enables strong authentication of
   online citizen/gov't transactions. U.S. has no prospect of a national ID
   system, and no state has a state ID system that supports online

2) Estonia's elections are administered by the Federal government. U.S.
   elections are administered locally.

3) Even with much federal funding for a central I.T. system for i-voting,
   the result was a system with low software integrity and lax datacenter
   operations that were given a "gentleman's C-" by independent review by
   OSCE. In the less polite U.S., that grade would have been an "F".

Instead of saying "If it works in Estonia, why can't it work in the U.S?"
the question is "If it did not work in Estonia, why would you think it would
work for each of the thousands of U.S. local elections?"

Scientists Find Cheaper Way to Ensure Internet Security (John Markoff)

"Peter G. Neumann" <>
Wed, 21 Nov 2012 20:56:55 PST
John Markoff, *The New York Times*, 20 Nov 2012,
Scientists at Toshiba and Cambridge University have perfected a technique
that offers a less expensive way to ensure the security of the high-speed
fiber optic cables that are the backbone of the modern Internet.

The research, which will be published Tuesday in the science journal
Physical Review X, describes a technique for making infinitesimally short
time measurements needed to capture pulses of quantum light hidden in
streams of billions of photons transmitted each second in data
networks.  Scientists used an advanced photodetector to extract weak photons
from the torrents of light pulses carried by fiber optic cables, making it
possible to safely distribute secret keys necessary to scramble data over
distances up to 56 miles.

Such data scrambling systems will most likely be used first for government
communications systems for national security.  But they will also be
valuable for protecting financial data and ultimately all information
transmitted over the Internet.

The approach is based on quantum physics, which offers the ability to
exchange information in a way that the act of eavesdropping on the
communication would be immediately apparent.  The achievement requires the
ability to reliably measure a remarkably small window of time to capture a
pulse of light, in this case lasting just 50 picoseconds—the time it
takes light to travel 15 millimeters.  ...

  [I'm very fond of David Wagner's comment to the effect that quantum
  cryptography takes money that people don't have to solve a problem they
  don't have.  PGN]

Consequences of Facebook photo misidentification

"Peter G. Neumann" <>
Thu, 15 Nov 2012 10:24:19 PST
  [Thanks to Kenneth Olthoff for spotting this one.  PGN]

If you thought that embarrassing photos from a party where you had one too
many were a problem on Facebook, here's one from the BBC about the face of
the "martyr" that was the wrong person's photo. It led to the woman whose
photo was mistakenly used having to flee her country.

Android flaw blocks December dates

"Mark J Bennison (UK)" <>
Mon, 19 Nov 2012 12:32:46 +0000
The People app calendar goes from November 2012 to January 2013, and
completely omits December.  The People app is the default app for contact
info on Androids.

  [The Androgrinch stole Christmas?  PGN]

Big Data and Europe's "Right to be Forgotten"

Lauren Weinstein <>
Tue, 20 Nov 2012 21:58:35 -0800
Will Big Data sink Europe's nightmarish "Right to be Forgotten" concept?
Let's hope so!  (GigaOM via NNSquad)

  "A report by Europe's cybersecurity agency points out several flaws with
  the proposed 'right to be forgotten'. A big one has to do with the
  challenges presented by the increasing use of aggregated data."

Good. Very good. Excellent.  Just about anything that helps to kill
off the nightmarish Right to Be Forgotten concept is welcome.
Background reading on this issue: "The 'Right to Be Forgotten'.

A Threat We Dare Not Forget":  (Lauren's Blog)

Bloomberg news: Why Cell Phones Went Dead After Hurricane Sandy by Susan Crawford

Dave Farber <>
Fri, 16 Nov 2012 20:29:07 -0500
After Hurricane Sandy, survivors needed, in addition to safety and power,
the ability to communicate. Yet in parts of New York City, mobile
communications services were knocked out for days.

The problem? The companies that provide them had successfully resisted
Federal Communications Commission calls to make emergency preparations,
leaving New Yorkers to rely on the carriers' voluntary efforts.

Susan Crawford is a monthly columnist for Bloomberg View. She is a visiting
professor at Harvard's Kennedy School of Government and at Harvard Law

  [This is a long item from Dave Farber's IP distribution, truncated for
  RISKS, but worth pursuing.  It generated extensive comments that are
  included at the above URL.  PGN]

Contacts: Susan P. Crawford at or @scrawford
<> on Twitter.

Less privacy protection for IMAP users

Steven J Klein <>
Wed, 14 Nov 2012 17:55:59 -0500
In the US, e-mail privacy is protected by the Electronic Communications
Privacy Act. The law, passed in 1986, requires that law enforcement
officials obtain a warrant to intercept & read private e-mail.

But the law has a critical flaw: It treats e-mail left on third-party
servers for 180 days as “abandoned.” All that’s necessary for the
government to get copies of those older messages is for a prosecutor to
request them.

Now that IMAP and web-based mail is commonplace, many people use mail
servers for permanent storage of old messages. I doubt the average gmail
user considers his old messages as abandoned.

Apparently this loophole played a role in the recent investigation of CIA
director General Petraeus.

A coalition of e-mail service providers is seeking a revision of the law to
treat messages in the cloud the same as messages stored on a home computer.

The Obama administration opposes the change.

Privacy and surveillance

Steve Summit
Wed, 14 Nov 2012 02:26:21 -0800
Good *NYT* article on the conflicting goals of investigating harassment or
security breaches, versus respecting people's privacy.

"The F.B.I. investigation that toppled the director of the C.I.A. [...]
underscores a danger that civil libertarians have long warned about: that in
policing the Web for crime, espionage and sabotage, government investigators
will unavoidably invade the private lives of Americans."  "What began as a
private, and far from momentous, conflict between two women [...] has had
incalculable public costs."

"Unlocking the brilliance in high tech"

Gene Wirchenko <>
Mon, 12 Nov 2012 09:27:23 -0800
Unlocking the brilliance in high tech
Author describes her journey in the male dominated engineering trade
11/10/2012 5:09:00 PM By: Christine Wong

This article is mainly about how one woman got going in engineering, but
then gets into a risk of not having more women in the field.  "Examples in
her book include the fact that voice recognition software and car air bags
weren't originally designed with female users in mind, an oversight that had
disastrous results in the former case and life threateningly dangerous
consequences in the latter."

Re: Summary of my experiences on the election (Re: Jones, R-27.08)

"Richard S. Russell" <>
Sun, 11 Nov 2012 22:59:45 -0600
> From: "Jones, Douglas W" <>

> In my opinion, Florida's legislature can make several changes to address
> these problems...

There are 2 halves to this idea. The good half is for the long form to
contain all the legalese, the official language that actually accomplishes
something, with the short form containing the PR version that conveys a
layperson's interpretation of the measure.

The bad half is letting the proponents compose the PR version. This is
likely to lead to things like "Little pig-tailed girls love kitties and
rainbows and butterflies, and isn't that wonderful?", regardless of what the
measure actually accomplishes. Its proposers will naturally skew the
interpretation to be as favorable as possible toward the outcome they

Here in Wisconsin the short-form wording is composed by the non-partisan
Legislative Reference Bureau, and this seems to have been satisfactory,
although we haven't had such issues with nearly the frequency of other

On a related matter, I muse that sooner or later some jurisdiction will try
on-line voting, some 13-year-old computer whiz will hack the system to get
himself elected mayor or governor, and that'll be the end of that.

Richard S. Russell, a Bright (
2642 Kendall Av. #2, Madison  WI  53705-3736
608+233-5640 •

2012 Layered Assurance Workshop (LAW) Final Program

Rance DeLong <>
Wed, 21 Nov 2012 10:17:37 -0800
The Sixth Layered Assurance Workshop (LAW) co-located with the 28th
Annual Computer Security Applications Conference (ACSAC 2012)
Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA
3-4 December 2012

The Layered Assurance Workshop is just twelve days away. The final LAW
program is available at the link above. See the program for the interesting
panels and papers.  Registration for LAW may be accomplished through the
ACSAC registration page at

We look forward to your participation.
Rance J. DeLong, Workshop Chair

  [Disclaimer: I'll be participating in both LAW2012 and ACSAC.
  Both very worthy meetings.  PGN]

Please report problems with the web pages to the maintainer