Rush Holt, Star-Ledger Guest Columnist, 22 Feb 2013 Oscars put online voting problems back in the spotlight: Opinion http://blog.nj.com/njv_guest_blog/2013/02/oscars_put_voting_problems_bac.html Unfortunately, it went poorly, for reasons that shed light on the inherent difficulty of conducting secure, accessible, credible elections online. Problems for Oscar voters began at the beginning: logging in. Voters were required to create special, complex passwords, but when they tried to log in to the Oscar website, many found their passwords rejected. After re-entering passwords several times, voters were locked out of the site entirely and forced to call a help line. Many then had to wait for new passwords, delivered by snail-mail. Even relatively young and tech-savvy voters weren't immune. As 42-year-old documentarian Morgan Spurloch told the Hollywood Reporter, “There's even some young farts like myself that are having problems.'' These problems should sound familiar in New Jersey. Our state just conducted its own ad hoc experiment with online voting: Days before November's election, as many of us struggled to recover from Hurricane Sandy, voters displaced by the storm were told they could vote by e-mail. The result was chaos. Election clerks reported e-mail systems that were overwhelmed. In one county, voters were instructed to e-mail ballot requests to a Hotmail account. Many didn't know that, by law, their e-mail vote was only a place-holder and that they also had to mail a paper ballot. Others didn't fully understand that, because their ballot needed to be linked to their e-mail address to verify eligibility, voting online meant sacrificing the right to a private ballot. Ultimately, election officials postponed the voting deadline beyond Election Day to give voters time to overcome unpredicted obstacles. [Rush Holt has been one of the most vocal members of Congress on the issues relating to voting system integrity, security, privacy, and so on. However, to RISKS readers, voting by e-mail should seem to be one of the worst possible alternatives, irrespective of how much is riding on any particular election. You have to trust too many parts of the overall process, too many people with insider opportunities for rigging, compromised servers, too many opportunities for mistakes, hardships, failures, denial of service and man-in-the-middle attacks, and much more. PGN]
Another relay malfunction. First New Orleans, now space! "A main data relay system malfunctioned, and the computer that controls the station's critical functions switched to a backup, NASA officials said in a statement. However, the station was still was unable to communicate with the Tracking and Data Relay satellite network that serves as the outpost's link to NASA's Mission Control center on the ground." http://www.space.com/19854-nasa-space-station-contact-restored.html Jim Reisert AD1C, <firstname.lastname@example.org>, http://www.ad1c.us
[Re: Super Bowl Blackout (McGill, RISKS-27.16)] On 28 Aug 2003, parts of London, UK, had a power outage which affected much of the Underground (subway) during the evening rush-hour (a Google search for "2003 London blackout" produces loads of info); various factors appeared to be involved, but the direct cause was reported as a 1 Amp over-current relay being erroneously fitted instead of a 5 Amp one two years before (via a current-scaling transformer, of course). I'm not sure if there are any similarities with the Super Bowl event, but as someone said, the usual non-expert comment was "why wasn't it tested thoroughly?", to which the answer is: how do you rig up a multi-megawatt load bank to a public electricity supply..? [Note: This outage is noted by Phil Thornley in RISKS-22.91 London blackout caused by incorrect relay fitting, and subsequently by Peter Amey in RISKS-22.97. I include Chris's item here as another reminder of the importance of remembering history in RISKS. PGN]
Marco Rubio gave a live response to the President's State of the Union Address on 12-Feb. He also taped a Spanish translation of the speech that was released to the media. Abc.com posted the Spanish language version and enabled Closed Captioning (CC). The CC was obviously automated, because the resulting 'translation' was a garbled mess of English words. Stephen Colbert—a comedian who plays a political pundit on TV—used these captions as the basis for a segment of the Colbert Report. http://www.colbertnation.com/the-colbert-report-videos/423832/february-13-2013/spanish-state-of-the-rubio (As of the morning 14-Feb, abc.com still enabled CC on the speech, but as of this evening the CC option had been removed.)
In *The New York Times*, John M. Broder reported that that the Tesla Model S electric car he was test-driving repeatedly ran out of juice, partly because cold weather reduces the battery's range by about 10 percent. Charles Lane, The electric car mistake, *The Washington Post*, 11 Feb 2013 quotes Tesla chief executive Elon Musk, claiming that Broder's report is a fake, and that the vehicle log showed Broder didn't charge fully, and took an [unmentioned] long detour. <http://www.washingtonpost.com/opinions/charles-lane-obamas-electric-car-mistake/2013/02/11/441b39f6-7490-11e2-aa12-e6cf1d31106b_story.html> *The Times* stands by Broder. http://www.theatlanticwire.com/technology/2013/02/elon-musks-data-doesnt-back-his-claims-new-york-times-fakery/62149/ http://wheels.blogs.nytimes.com/2013/02/14/that-tesla-data-what-it-says-and-what-it-doesnt/
[With thanks to Dr. D. Kross. PGN] "Everyone knew there would be teething problems the first few weeks, but they've never stopped. We've started scheduling fewer patients because of the time they take to process. The air can turn blue when a senior consultant finds himself fiddling with a computer instead of seeing patients." http://www.philly.com/philly/entertainment/20130218_The_flaws_of_electronic_records.html http://www.readingchronicle.co.uk/news/roundup/articles/2013/02/16/86796-hospital-ready-to-ditch-30m-computer-system-/
[Sometimes it pays to read the fine print. A loophole in the professor's grading system lead an entire class to skip the final, guaranteeing them all A's. People are wily! Dan Farmer] Catherine Rampell, *The New York Times*, 14 Feb 2013 [Valentine's Day] http://economix.blogs.nytimes.com/2013/02/14/gaming-the-system/?src=rechp Dollars to doughnuts. *Inside Higher Ed* had a fascinating article a couple days ago about some college students who unanimously boycotted their final exam and all got A [grades] under a grading curve loophole. It's a great example of game theory at work. In several computer science courses at Johns Hopkins University, the grading curve was set by giving the highest score on the final an A, and then adjusting all lower scores accordingly. The students determined that if they collectively boycotted, then the highest score would be a zero, and so everyone would get an A. Amazingly, the students pulled it off. [Foreshortened for RISKS, but the last paragraph is worth noting, quoting the Professor, Peter Froehlich:] “I have changed my grading scheme to include that everybody has 0 points means that everybody gets 0 percent, and I also added a clause stating that I reserve the right to give everybody 0 percent if I get the impression that the students are trying to `game' the system again.''
David E. Sanger, David Barboza, Nicole Perlroth, *The New York Times* http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all http://j.mp/136pc6D "The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of digital forensic evidence - confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years - leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower."
Written by Joji Hamada, Symantec Employee "The report, APT1: Exposing One of China's Cyber Espionage Units, published by Mandiant earlier this week has drawn worldwide attention by both the security world and the general public. This interest is due to the conclusion the report has drawn regarding the origin of targeted attacks, using advanced persistent threats (APT), performed by a certain group of attackers dubbed the Comment Crew. You can read Symantec's response to the report here." "Today, Symantec has discovered someone performing targeted attacks is using the report as bait in an attempt to infect those who might be interested in reading it." http://www.symantec.com/connect/blogs/malicious-mandiant-report-circulation [This might be somewhat self-serving, especially if Symantec's business is booming as a result of many prominent companies coming out of the closet to admit that they too were victims... PGN]
Thilo Mueller and Michael Spreitzenbarth at Uni Erlangen have published a report and tools to perform cold boot attacks on Android smartphones. They describe (https://www1.informatik.uni-erlangen.de/frost) cooling the phone in a freezer for an hour before proceeding. Freezing RAM chips to read their content is not new, nor are cold boot attacks; here a concept has been proved and the tools made available. FROST illustrates that attacks (threats) that appeared very difficult and expensive and hence impracticable and negligible can suddenly become practical and real risks. My conclusion is that attacks which are logically possible must be taken seriously as risks - even if they are currently difficult. Last but not least, I found the pun irresistible, and in the spirit of Risks!
Oracle seeks to convince appeals court that Google's use of 37 lines of code is akin to plagiarizing a blockbuster literary work. InfoWorld, 14 Feb 2013 http://www.infoworld.com/t/application-development/why-java-apis-arent-the-same-harry-potter-novel-212891
http://j.mp/15FxO8h (*The Washington Post* via NNSquad) "Our partners and users do not have the right to take down videos from YouTube unless they contain content which is copyright infringing, which is why we have reinstated the videos." YouTube has reinstated the video(s) [which I mentioned earlier today] noting that NASCAR did not have the right to remove them on copyright infringement grounds. Good work by the YouTube team.
ISP six-strikes starts tomorrow, and the expected results are ... http://j.mp/W47lA7 (Torrent Freak via NNSquad) "The much-discussed U.S. six strikes anti-piracy scheme is expected to go live on Monday. The start date hasn't been announced officially by the CCI but a source close to the scheme confirmed the plans." Expected results: 1) Legit users are harassed due to IP address mix-ups, etc. Remember you must pay to file an appeal. 2) Proxy services see a massive up-tick in use. 3) Public Wi-Fi access points in small stores, etc. are decimated. 4) Relatively visible Torrent-based systems are even more rapidly replaced with completely underground and well-hidden systems. 5) In relatively short order, the MPAA et al. will be back with their Congressional supporters again demanding that the Internet be remade to protect their obsolete 20th century profit center models, no matter what the costs.
http://j.mp/15F3OcF (*IEEE Spectrum* via NNSquad) "Reviewers are gaming the system at Amazon and elsewhere for mischief, politics, and profit."
Bill Snyder, *InfoWorld*, 21 Feb 2013 New technologies are turning Web videos and photos into tools that will destroy your privacy http://www.infoworld.com/d/the-industry-standard/nowhere-hide-video-location-tech-has-arrived-213184
"Stanford researcher Jonathan Mayer has contributed a Firefox patch that will block third-party cookies by default. It's now on track to land in version 22." http://j.mp/YM28Jh (Slashdot via NNSquad) No meaningful privacy enhancements will be provided to users by this change, but contrary to what Mozilla is saying, it *will* break many standard functions of many standard Web sites. Another "politically correct" step by Mozilla that actually makes users' lives more difficult.
We customers, of anti-virus and other PC security software, we are sheep. We buy whatever is offered, we do not make demands or even pretty please requests that future editions of the protection provide specific improvements. Not enough of us ask for the same thing. I want the code which I key in to activate this upgrade printed large enough so I do not have to use a magnifying glass, or other aids, so the characters are readable, for my aging eyes. I want e-mail protection which says ... this hyper link is not what its text claims to be. This attachment saying it came from company-X or government agency-X did not in fact come from that organization. I want a browser click on ... this site is suspicious. Then there is a pull down options ... we select porn, hate site, selling clearly illegal product or service, promoting assassination of our leaders, whatever the grievance, or space to enter a comment if other than one of the above. Then another option, where we select who to report it to, such as local police, FBI, FTC, our ISP, the ACLU, whatever. When they get the "suspicious" reports, we have already categorized for them, what we think the problem, our identity, our GPS where we were when we saw it. When we have a company network, the e-mail should go through a different brand name anti-virus, anti-phishing protection than what is on the individual PCs of the network, so one catches what the other protection misses. When individual PCs try to connect to the company network, run security software check ... do you have the latest security? Is it working? Has it been patched? Do you have a virus? If any answer wrong, then you are disconnected from the network, your boss is notified, and a technician is dispatched to your location to fix your PC. Do you have the same company PC doing your company banking, and that PC engaged in other Internet activity, like e-mail? Fire the manager who decided that was appropriate behavior. Firewalls and anti-protection should check what's going out, as well as what's coming in. Here is confidential personal info going out. Is it going to a previously authorized location? Al Mac (WOW) = Alister William Macintyre
"A technology called Legal Intercept that Microsoft hopes to patent would allow the company to secretly intercept, monitor and record Skype calls. And it's stoking privacy concerns." (*Computerworld* via NNSquad) http://j.mp/WV2pKr
From an intellectual property perspective, wouldn't it make a lot of sense for a company to patent or otherwise protect snooping and/or security-related technology to prevent others (bad actors, competitors, etc.) from implementing the functionality and using it? While the chilling effect of the privacy implications are a concern, this kind of patent seems like an obvious defensive strategy, as well?
FWIW, I described a Skype interception tool on this list 6+ years ago. I wonder if my description counts as prior art to the patent.
FMICS 2013 18th International Workshop on Formal Methods for Industrial Critical Systems September 23-24, 2013 Madrid (Spain) Co-located with SEFM 2013 http://lvl.info.ucl.ac.be/Fmics2013 [truncated for RISKS; see the URL for the full announcement. PGN] Call for Papers The aim of the FMICS workshop series is to provide a forum for researchers who are interested in the development and application of formal methods in industry. In particular, FMICS brings together scientists and engineers who are active in the area of formal methods and interested in exchanging their experiences in the industrial usage of these methods. The FMICS workshop series also strives to promote research and development for the improvement of formal methods and tools for industrial applications. Topics of interest include (but are not limited to): * Design, specification, code generation and testing based on formal methods. * Methods, techniques and tools to support automated analysis, certification, debugging, learning, optimization and transformation of complex, distributed, real-time systems and embedded systems. * Verification and validation methods that address shortcomings of existing methods with respect to their industrial applicability (e.g., scalability and usability issues). * Tools for the development of formal design descriptions. * Case studies and experience reports on industrial applications of formal methods, focusing on lessons learned or identification of new research directions. * Impact of the adoption of formal methods on the development process and associated costs. * Application of formal methods in standardization and industrial forums. Submissions must describe authors' original research work and their results. Contributions should not exceed 15 pages formatted according to the LNCS style (Springer), and should be submitted as Portable Document Format (PDF) files using the EasyChair submission site: https://www.easychair.org/conferences/?conf=fmics2013 Paper submissions by May 3rd. Chairs: Michael Dierkes (Rockwell Collins, France) Charles Pecheur (Université catholique de Louvain, Belgium) Dott. Diego Latella - Senior Researcher - CNR/ISTI, Via Moruzzi 1, 56124 Pisa, IT (http:www.isti.cnr.it) FM&&T Laboratory (http://fmt.isti.cnr.it) http://www.isti.cnr.it/People/D.Latella - phone: +39 0503152982 - mob: +39 348 8283101 - fax +39 0503152040
Please report problems with the web pages to the maintainer