Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Future of Federal Cybersecurity R&D Strategies Webcast When: Tuesday, 27 Nov 2012 Time: 1:00pm-3:00pm EST Webcast link: http://www.tvworldwide.com/events/nsf/121127/ Join a webcast of the Federal government's cybersecurity research and development strategies. Senior Federal representatives will review Government activities in implementing the Federal cybersecurity R&D strategic plan and discuss emerging areas in cybersecurity research that may warrant further focus. The webcast session is part of the National Science Foundation's Secure and Trustworthy Cyberspace Conference. Additional information about the conference is available at http://cps-vo.org/group/satc
Man arrested for theft of "9 million files" said to comprise identity data for roughly 2/3 of the Greek population. http://www.thestar.com/news/world/article/1290410 I suppose this is the inevitable result of organizations that aggregate such massive quantities of data combined with technology that allows it all to fit on a tiny USB stick. Sooner or later, all of the data anyone might care about will fit on such a stick, including every private e-mail you've ever sent via cloud-based services and every embarrassing private photo you've ever uploaded to a personal profile.
3.8 million tax returns stolen by phishing attack against the state of South Carolina. http://openchannel.nbcnews.com/_news/2012/11/20/15313720-one-email-exposes-millions-of-people-to-data-theft-in-south-carolina-cyberattack?lite
1. Anonymous, Karl Rove, and 2012 Election Fix? http://truth-out.org/news/item/12845-anonymous-karl-rove-and-2012-election-fix Thom Hartmann and Sam Sacks, The Daily Take: Unless Anonymous presents evidence to support its claims that Rove planned to steal the presidential election for the GOP, its work will be relegated to the status of Internet antics—and the dustbins of history. 2. Why Anonymous' Claims about Election-Rigging Can't Be Ignored http://truth-out.org/news/item/12871-why-anonymous-claims-about-election-rigging-cant-be-ignored Thom Hartmann and Sam Sacks, The Daily Take: Given historical trends, why is it inconceivable to some that Karl Rove may have tried to electronically rig the election of 2012 in three states?
Michael Kranish, *The Boston Globe*, 2 Nov 2012 Mitt Romney's online voter-turnout operation suffered a meltdown on Election Day, resulting in a crucial 90-minute "buckling" of the system in Boston and the inability of some campaign workers across the country to use a vital smartphone program, according to campaign officials and volunteers. Code-named ORCA, the program was kept secret until just before the election in order to prevent hacking of the system. It was then trumpeted by Romney's aides as an unrivaled high-tech means of communicating with more than 30,000 field workers who were stationed at polling places on Election Day. Those volunteers were supposed to track who voted and to alert Boston headquarters if turnout was lower than expected at key precincts. But at Boston's TD Garden, where 800 Romney workers were staffing phones and computers in coordination with the field workers to oversee the turnout, the surge in traffic was so great that the system didn't work for 90 minutes, causing panic as staffers frantically tried to restore service. Some campaign workers also reported that they had incorrect PINS and had not been informed that they needed certification to work at polling places. ... http://www.boston.com/news/politics/2012/president/candidates/romney/2012/11/10/orca-mitt-romney-high-tech-get-out-the-vote-program-crashed-election-day/gflS8VkzDcJcXCrHoV0nsI/singlepage.html
Robert X. Cringely, *InfoWorld*, 09 Nov 2012 Unleashed! Project Orca, the campaign killer whale Big data fails big time for the Romney camp as its smartphone app crashes spectacularly, right on schedule for Election Day http://www.infoworld.com/t/cringely/unleashed-project-orca-the-campaign-killer-whale-206782
[My apologies to Rebecca Mercuri. Seh sent me this item just *before* the election, and I requeued it to RISKS for the post-election issue—but somehow it fell through the crack. However, it is still very timely. PGN] http://tabtimes.com/feature/government/2012/11/05/security-issues-threaten-derail-rise-tablet-voting This interview was done a while ago, but they apparently held the article for publication immediately prior to the election. A few of my quotes sounded even more pithy given the e-mail and fax voting options in NJ. [For example, see Andrew Appel's Freedom-to-Tinker item in RISKS-27.06. PGN] Incidentally, *everyone* in NJ could have availed themselves of paper ballot voting if they had registered as permanent absentees (no reason needed). It's an easy form, and every year, like clockwork, your ballot shows up to fill out and send back (or drop off at the County Board of Elections). No polls, no lines, no waiting. And indeed, these are the only voter-verified records available for hand-recounts in the Garden State.
3 reasons why Estonia's e-voting is irrelevant to the U.S. 1) Estonia has a national ID system that enables strong authentication of online citizen/gov't transactions. U.S. has no prospect of a national ID system, and no state has a state ID system that supports online transactions. 2) Estonia's elections are administered by the Federal government. U.S. elections are administered locally. 3) Even with much federal funding for a central I.T. system for i-voting, the result was a system with low software integrity and lax datacenter operations that were given a "gentleman's C-" by independent review by OSCE. In the less polite U.S., that grade would have been an "F". Instead of saying "If it works in Estonia, why can't it work in the U.S?" the question is "If it did not work in Estonia, why would you think it would work for each of the thousands of U.S. local elections?"
John Markoff, *The New York Times*, 20 Nov 2012, Scientists at Toshiba and Cambridge University have perfected a technique that offers a less expensive way to ensure the security of the high-speed fiber optic cables that are the backbone of the modern Internet. http://www.nytimes.com/2012/11/20/technology/fiber-optic-breakthrough-to-improve-internet-security-cheaply.html The research, which will be published Tuesday in the science journal Physical Review X, describes a technique for making infinitesimally short time measurements needed to capture pulses of quantum light hidden in streams of billions of photons transmitted each second in data networks. Scientists used an advanced photodetector to extract weak photons from the torrents of light pulses carried by fiber optic cables, making it possible to safely distribute secret keys necessary to scramble data over distances up to 56 miles. Such data scrambling systems will most likely be used first for government communications systems for national security. But they will also be valuable for protecting financial data and ultimately all information transmitted over the Internet. The approach is based on quantum physics, which offers the ability to exchange information in a way that the act of eavesdropping on the communication would be immediately apparent. The achievement requires the ability to reliably measure a remarkably small window of time to capture a pulse of light, in this case lasting just 50 picoseconds—the time it takes light to travel 15 millimeters. ... [I'm very fond of David Wagner's comment to the effect that quantum cryptography takes money that people don't have to solve a problem they don't have. PGN]
[Thanks to Kenneth Olthoff for spotting this one. PGN] If you thought that embarrassing photos from a party where you had one too many were a problem on Facebook, here's one from the BBC about the face of the "martyr" that was the wrong person's photo. It led to the woman whose photo was mistakenly used having to flee her country. http://www.bbc.co.uk/news/magazine-20267989
The People app calendar goes from November 2012 to January 2013, and completely omits December. The People app is the default app for contact info on Androids. http://www.bbc.co.uk/news/technology-20392386 [The Androgrinch stole Christmas? PGN]
Will Big Data sink Europe's nightmarish "Right to be Forgotten" concept? Let's hope so! http://j.mp/SdluF1 (GigaOM via NNSquad) "A report by Europe's cybersecurity agency points out several flaws with the proposed 'right to be forgotten'. A big one has to do with the challenges presented by the increasing use of aggregated data." Good. Very good. Excellent. Just about anything that helps to kill off the nightmarish Right to Be Forgotten concept is welcome. Background reading on this issue: "The 'Right to Be Forgotten'. A Threat We Dare Not Forget": http://bit.ly/yk8t7m (Lauren's Blog)
After Hurricane Sandy, survivors needed, in addition to safety and power, the ability to communicate. Yet in parts of New York City, mobile communications services were knocked out for days. The problem? The companies that provide them had successfully resisted Federal Communications Commission calls to make emergency preparations, leaving New Yorkers to rely on the carriers' voluntary efforts. http://bloom.bg/QK5ZYd Susan Crawford is a monthly columnist for Bloomberg View. She is a visiting professor at Harvard's Kennedy School of Government and at Harvard Law School. [This is a long item from Dave Farber's IP distribution, truncated for RISKS, but worth pursuing. It generated extensive comments that are included at the above URL. PGN] Contacts: Susan P. Crawford at scrawford@scrawford.net or @scrawford <https://twitter.com/scrawford> on Twitter.
In the US, e-mail privacy is protected by the Electronic Communications Privacy Act. The law, passed in 1986, requires that law enforcement officials obtain a warrant to intercept & read private e-mail. But the law has a critical flaw: It treats e-mail left on third-party servers for 180 days as “abandoned.” All that’s necessary for the government to get copies of those older messages is for a prosecutor to request them. Now that IMAP and web-based mail is commonplace, many people use mail servers for permanent storage of old messages. I doubt the average gmail user considers his old messages as abandoned. Apparently this loophole played a role in the recent investigation of CIA director General Petraeus. A coalition of e-mail service providers is seeking a revision of the law to treat messages in the cloud the same as messages stored on a home computer. The Obama administration opposes the change.
Good *NYT* article on the conflicting goals of investigating harassment or security breaches, versus respecting people's privacy. "The F.B.I. investigation that toppled the director of the C.I.A. [...] underscores a danger that civil libertarians have long warned about: that in policing the Web for crime, espionage and sabotage, government investigators will unavoidably invade the private lives of Americans." "What began as a private, and far from momentous, conflict between two women [...] has had incalculable public costs." http://www.nytimes.com/2012/11/14/us/david-petraeus-case-raises-concerns-about-americans-privacy.html&emc=eta1
http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=69298 Unlocking the brilliance in high tech Author describes her journey in the male dominated engineering trade 11/10/2012 5:09:00 PM By: Christine Wong This article is mainly about how one woman got going in engineering, but then gets into a risk of not having more women in the field. "Examples in her book include the fact that voice recognition software and car air bags weren't originally designed with female users in mind, an oversight that had disastrous results in the former case and life threateningly dangerous consequences in the latter."
> From: "Jones, Douglas W" <douglas-w-jones@uiowa.edu> > In my opinion, Florida's legislature can make several changes to address > these problems... There are 2 halves to this idea. The good half is for the long form to contain all the legalese, the official language that actually accomplishes something, with the short form containing the PR version that conveys a layperson's interpretation of the measure. The bad half is letting the proponents compose the PR version. This is likely to lead to things like "Little pig-tailed girls love kitties and rainbows and butterflies, and isn't that wonderful?", regardless of what the measure actually accomplishes. Its proposers will naturally skew the interpretation to be as favorable as possible toward the outcome they desire. Here in Wisconsin the short-form wording is composed by the non-partisan Legislative Reference Bureau, and this seems to have been satisfactory, although we haven't had such issues with nearly the frequency of other states. On a related matter, I muse that sooner or later some jurisdiction will try on-line voting, some 13-year-old computer whiz will hack the system to get himself elected mayor or governor, and that'll be the end of that. Richard S. Russell, a Bright (http://the-brights.net) 2642 Kendall Av. #2, Madison WI 53705-3736 608+233-5640 • RichardSRussell@tds.net http://richardsrussell.livejournal.com/
The Sixth Layered Assurance Workshop (LAW) co-located with the 28th Annual Computer Security Applications Conference (ACSAC 2012) Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA 3-4 December 2012 http://www.acsac.org/2012/workshops/law/ The Layered Assurance Workshop is just twelve days away. The final LAW program is available at the link above. See the program for the interesting panels and papers. Registration for LAW may be accomplished through the ACSAC registration page at http://www.acsac.org. We look forward to your participation. Rance J. DeLong, Workshop Chair [Disclaimer: I'll be participating in both LAW2012 and ACSAC. Both very worthy meetings. PGN]
Please report problems with the web pages to the maintainer