Jim Horning was one of my favorite friends, colleagues, associates, and a long-time inspiration, spanning the past 38 years. He was active in the computer field since 1958. He was a vital member of the ACM Committee on Computers and Public Policy, continuously since 1985; he contributed to the very first issue of the ACM Risks Forum (1 Aug 1985), and he wrote or co-wrote seven CACM Inside Risks articles. He also played significant roles in USACM. We worked together on a joint CPSR/ACLU report for the House Committee on Civil and Constitutional Rights in 1989. He made many thoughtful technical and socially aware contributions, always with wisdom, common sense, and humanity. I valued every contact I ever had with him. He will be very deeply missed by all who knew him, and indirectly by many who did not.
Luther Weeks, 21 Jan 2013 Op-Ed outlining the integrity risks of the National Popular Vote Compact http://www.ctnewsjunkie.com/ctnj.php/archives/entry/op-ed_voting_requires_vigilance._popular_isnt_always_prudent/ One third of Americans vote on machines, without the paper ballots we use in Connecticut. Our president is chosen based on faith in those unverifiable machines, vote accounting, and unequal enfranchisement in 50 independent states and the District of Columbia. In 2000, we witnessed the precarious underpinnings of this state-by-state voting system combined with the flawed mechanism of the 12th Amendment and the Electoral Accounting Act. The Supreme Court ruled votes could not be recounted in Florida, because even that single state did not have uniform recount procedures. What could possibly make this system riskier? The National Popular Vote Compact now being considered in states, including Connecticut, would have such states award their electoral votes to a purported national popular vote winner. The Compact would take effect once enough states signed on, equaling more than one-half the Electoral College. Then the President elected would be the one with the most purported popular votes. Sounds good and fair at first glance. Looking at the touted benefits and none of the risks many legislators, advocates, and media influence the public to make the Compact popular in some polls. Popular is not always prudent. Voting requires vigilance. The Compact, cobbled on an already precarious system, would exacerbate its flaws, adding additional risks. Currently errors, voter suppression, and fraud can only sway the result in the few swing states. With the Compact errors, suppression, and fraud in every state would count toward the popular vote total. Compact supporters overlook and proponents befog the reality that there would be no official national popular vote total available in time for states to choose their electors. The only official popular vote total is the sum of the Certificates of Attainment sent by each state to the national Archivist. They cannot be used for choosing electors, since certificates are not required to be sent until seven days after electors are chosen and are not required to arrive in Washington until fifteen days after the electors must be chosen. Supreme Court decisions in 2000 and 1876 stress that these dates must be strictly followed. Even if the totals could be obtained in time from each state, they would not be audited and could not be recounted. Compact proponents obfuscate this by describing how some states routinely perform audits or recounts. They conveniently ignore that about one-third of the states do not have audits and recounts; many voting machines cannot be audited; state recounts are based on close-vote margins within a state, so even in those states, recounts would not be triggered by a close national vote. Just as critical, there would be insufficient time for recounts or audits given the strict Constitutional deadlines. The Supreme Court would likely reject any recount going beyond state borders, using the same reasoning used to reject the 2000 Florida recount, as insufficiently uniform. Additional legal challenges and maneuvers under the Compact would also be available for partisans bent on sending any reasonably close election to the Supreme Court or Congress. States not signing the Compact could delay certifying and transmitting results until the latest deadline. Partisans could dispute results in their states or sue their Secretary of State for using uncertified results from other states, delaying reporting or negating the state's Electoral College vote. Nothing is available, but legal challenges, even in Compact states, to deter a future partisan Secretary of State from failing to follow the Compact. Supporters and opponents debate other contentions for and against the Compact, most of which are subjective and speculative. e.g. Which is more ideal, the current Federal system or the popular vote? Would small states or large states benefit more from the Compact? Where would candidates campaign and join with PACs in media buys? How equal would every voter actually be, given the state-by-state system of voter enfranchisement, disenfranchisement, suppression, and registration? An accurate, fair, and credible popular vote requires a uniform, workable national voting system we can trust. That is, a system with uniform enfranchisement, paper ballots, effective audits, and national recounts, enforceable and provably enforced as a prerequisite to a considering a national popular vote. Luther Weeks is executive director of CTVotersCount <http://www.ctvoterscount.org/> . [This is an extremely complicated issue. However, as long as we have partisan election management with unauditable voting machines, non-level playing fields regarding registration and voter rights, extreme difficulties in retroactively determining manipulations and unethical, illegal, or deceptive practices, no system can be claimed to be fair. Readers of RISKS should be well aware of the wide range of pitfalls. PGN]
http://j.mp/10DqhqW (*Science* via NNSquad) [Free read with registration] "Sharing sequencing data sets without identifiers has become a common practice in genomics. Here, we report that surnames can be recovered from personal genomes by profiling short tandem repeats on the Y chromosome (Y-STRs) and querying recreational genetic genealogy databases. We show that a combination of a surname with other types of metadata, such as age and state, can be used to triangulate the identity of the target. A key feature of this technique is that it entirely relies on free, publicly accessible Internet resources. We quantitatively analyze the probability of identification for U.S. males. We further demonstrate the feasibility of this technique by tracing back with high probability the identities of multiple participants in public sequencing projects."
"Last Friday, a 198-page government report to the French Ministry of the Economy outlined a proposal that, if approved by the French government, would impose a tax on tech companies based on how many users a site like Facebook or Google has, and how much personal information those companies hold." http://j.mp/WmsSiF (ars technica via NNSquad) Passage of such a law would be immediately followed by the creation of the secret French government department to create millions of fake Google users and share as much fake personal information about them as possible!
http://j.mp/WeMk0C (*Journal News* via NNSquad) "Today The Journal News has removed the permit data from lohud.com. Our decision to do so is not a concession to critics that no value was served by the posting of the map in the first place. On the contrary, we've heard from too many grateful community members to consider our decision to post information contained in the public record to have been a mistake. Nor is our decision made because we were intimidated by those who threatened the safety of our staffers. We know our business is a controversial one, and we do not cower." And of course, proving again that "public is public" and that trying to hide on the Internet is hopeless once it has been widely publicized, there are the various available related mirrors: http://j.mp/WeM2a6 (Google Sites) More info: Gawker releases list of gun owners in New York City (1/8/2013) http://j.mp/WeMUeE (Poynter)
"FB's glistening new search engine makes finding interesting things about yourself, your past, and all of your friends excitingly easy. It also makes it a cinch to find strangers who are openly racist, sexist, and generally embarrassing." http://j.mp/WeQe9D (Gizmodo via NNSquad) [Warning: link is not safe for work or family!] The link above is Not Safe for Family. Not Safe for Work. Let's face it, Facebook just plain isn't safe.
"The Daily News", Kamloops, British Columbia, Canada, 2013-01-12, p. A6: "Distracted driver hits senior while using her iPod NORTH VANCOUVER A 19-year-old woman is facing charges in North Vancouver after she drove onto a sidewalk and struck a 70-year-old man while using her iPod. The RCMP say the victim was walking home from a gym when he was struck yesterday at Mount Seymour Parkway and Emerson Way. He suffered extensive injuries including a broken leg and broken ribs, but he is expected to survive. Police say the driver has been charged with driving without due care and attention while using an electronic device.
Ted Samson, *InfoWorld*, 16 Jan 2013 Facebook's new search engine serves up the kind of data that cyber scammers love http://www.infoworld.com/t/internet-privacy/facebook-graph-search-may-be-social-engineering-nightmare-211002
"If you lose your cellphone, don't blame Wayne Dobson" Due to a quirk in cellphone location tracking, a resident of North Las Vegas has repeatedly been visited by people who believe that he has their lost cellphones. More seriously, police responded to the same address in error - due to a cellphone 911 call reporting a domestic violence incident. http://www.lvrj.com/news/if-you-lose-your-cellphone-don-t-blame-wayne-dobson-186670171.html
http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/ A student has been expelled from Montreal's Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students' personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school's software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as `sloppy coding' in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.'' “I saw a flaw which left the personal information of thousands of students, including myself, vulnerable, I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn't think I was doing anything wrong.'' “I felt I had a moral duty to bring it to the attention of the college.'' After an initial meeting with Director of Information Services and Technology Francois Paradis on 24 Oct 2012, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill. Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents. “It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.'' ...
the rest of the article goes on to say - 1. Taza from Skytech denies he threatened Al Khabaz, and said that he'd told him that discovering vulns was fine, but pen-testing their systems uninvited to see whether the vulns were fixed or not wasn't legal. 2. The school seems to have separately decided to expel him, with 14 out of 15 professors voting to expel, though without giving him a hearing first.
The following stands out: Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents. When I was a program manager at (D)ARPA in the early 1970s, I ran tiger teams on the Arpanet and quickly discovered the importance of discipline in the process. It's one thing to find flaws, it's something else entirely to disclose them publicly, and it's further something else to run subsequent "tests" to determine whether the flaw has been fixed. The people who find the flaws often develop a sense of ownership and entitlement, and that's where trouble arises. A "20-year-old computer science student, and a member of the school's software development club" probably had no training or counseling regarding finding and reporting flaws. Having reported his findings to responsible parties, he fulfilled his moral obligations and he should have remained at arms' length from the system unless invited to do further work, but this might not have been evident to him. Conversely, the school's elders should have gone further than congratulating the student for his work. They should have realized the need to counsel the student that his role was now complete, that he needed to stay away from further action, and that the results might or might not be in accordance with his instincts. In this respect, the school's management might have been just as uneducated in these matters as the student. Perhaps there is more to this particular story than has been reported. Perhaps the student was informed he was not to do further testing. The larger point is it would be useful to have some readily available guidelines for appropriate behavior by both the person finding the flaw and the organization receiving the report.
http://arstechnica.com/security/2013/01/massive-espionage-malware-relied-on-java-exploit-to-infect-pcs/ Red October relied on Java exploit to infect PCs Unearthed attack site reveals some inner workings of espionage malware. Dan Goodin, *Arstechnica*, 15 Jan 2013 opening paragraph: Attackers behind a massive espionage malware campaign that went undetected for five years relied in part on a vulnerability in the widely deployed Java software framework to ensnare their victims, a security researcher said.
Ed Bott for The Ed Bott Report, 22 Jan 2013 A close look at how Oracle installs deceptive software with Java updates http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ Summary: Oracle's Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. With each update, Java actively tries to install unwanted software. Here's what it does, and why it has to stop.
Woody Leonhard, *InfoWorld*, 22 Jan 2013 Disabling Java in Internet Explorer: No easy task Firefox, Chome, and Safari let you. But short of a complex, CERT-documented process, there's no reliable way to disable Java in IE http://www.infoworld.com/t/web-browsers/disabling-java-in-internet-explorer-no-easy-task-211220 The Microsoft instructions kill about 20 Java CLSIDs. The CERT method kills almost 800 of them. That has to make you wonder—at least, it makes me wonder—whether there are other tricky methods for invoking Java in Internet Explorer, even after the CERT fixes have been applied.
Mike Masnick, *Techdirt*, 11 Jan 2013 As you may or may not recall, last year, pretty much all the TV networks sued Dish Networks over a new feature it had launched, PrimeTime Any Time (PTAT), with its Autohopper technology on its DVRs. PTAT is where it would automatically record all the major networks' prime time programming and hold onto it for a bit. Autohopper would then automatically skip over the commercials. It's important to recognize that these features, on their own, have been considered legal. VCRs had auto commercial skip ages ago and DVR technology (time shifting) has been called fair use plenty of times. Given that, the lawsuits aren't going well so far. But, in a moment of pure stupidity, some very short-sighted suits at CBS made a really silly decision. As you may or may not have heard, CES—the massive consumer electronics show—has been going on all this week in Las Vegas. I just got back from there myself. At the show, Dish announced another merging of some of its products, adding its Slingbox (who they bought years back) to the same basic setup. Slingbox, of course, is for "place shifting" what the DVR is for "time shifting." You hook it up to your TV and it lets you access what's playing on your TV via the Internet via your computer, phone or tablet). It's hardly surprising that this is where Dish was heading. ... http://www.techdirt.com/articles/20130111/00145421637/just-how-dumb-is-it-cbs-to-block-cnet-giving-dish-award.shtml
, *CNET*, 14 Jan 2013 The true story of what happened before last week's Best of CES Awards unveiling http://news.cnet.com/8301-30677_3-57563877-244/the-2013-best-of-ces-awards-cnets-story/ A CNET Reporter Resigns Amid CBS-Dish Tussle January 14, 2013 http://blogs.wsj.com/digits/2013/01/14/a-cnet-reporter-resigns-amid-cbs-dish-tussle/ Dish Gives Itself The Award That CBS Stopped CNET From Giving http://consumerist.com/2013/01/18/dish-gives-itself-the-award-that-cbs-stopped-cnet-from-giving/
Predictions of savings are usually based on two assumptions: 1) The new system is used instead (not in addition to) of the old one. 2) The records are shared so that tests and other exams do not have to be duplicated. In the cases that I have seen (a very limited set) at most one of these conditions have been met and often neither is met. Old systems are often incompatible with the new systems and may perform functions that the new ones do not do. Professor Emeritus, McMaster University, University of Limerick http://www.amadon.ca/Public/information.htm +1 613 2498038 firstname.lastname@example.org
We are pleased to announce SecAppDev Leuven 2013, an intensive one-week course in secure application development. The course is organized by secappdev.org, a non-profit organization that aims to broaden security awareness in the development community and advance secure software engineering practices. The course is a joint initiative with KU Leuven and Solvay Brussels School of Economics and Management. SecAppDev 2013 is the 9th edition of our widely acclaimed course, attended by an international audience from a broad range of industries including financial services, telecom, consumer electronics and media and taught by leading software security experts including + Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab. + Ken van Wyk, co-founder of the CERT Coordination Center and widely acclaimed author and lecturer. + Dr. Steven Murdoch of the University of Cambridge Computer Laboratory's security group, well known for his research in anonymity and banking system security. + Jim Manico, an OWASP board member. + John Steven, a sought-after architect for high-performance, scalable JEE systems. When we ran our first annual course in 2005, emphasis was on awareness and security basics, but as the field matured and a thriving security training market developed, we felt it was not appropriate to compete as a non-profit organization. Our focus has hence shifted to providing a platform for leading-edge and experimental material from thought leaders in academia and industry. We look toward academics to provide research results that are ready to break into the mainstream and attract people with an industrial background to try out new content and formats. The course takes place from March 4th to 8th in the Faculty Club, Leuven, Belgium. For more information visit the web site: http://secappdev.org. Places are limited, so do not delay registering to avoid disappointment. Registration is on a first-come, first-served basis. A 25% discount is available for Early Bird registration until January 15th. Alumni, public servants and independents receive a 50% discount. I hope that we will be able to welcome you or your colleagues to our course. Lieven Desmet http://secappdev.org Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Please report problems with the web pages to the maintainer