The Norwegian goverment is ceasing their experiments to conduct elections using the Internet. Apparently they have realized that security and privacy are inadequate. Earlier experiments have shown major flaws in cryptographic implementations, poor software engineering (e.g., `spaghetti code', which was noted as a problem in a voting machine by Eva Waskell in 1986!!!), lack of contemporary system security/integrity evaluations, and more—in the Scytl software. http://www.tu.no/it/2014/06/25/regjeringen-vraker-e-valget?fb_action_ids`0096603443541&fb_action_types=og.recommends&fb_source=other_multiline&action_object_map=%5B711062558952360%5D&action_type_map=%5B%22og.recommends%22%5D&action_ref_map=%5B%5D [In this URL, I removed the `3D' used to encode the equal sign, but I have no idea what the `%5B' and `%5D' might be encoding in Norwegian. Sorry. PGN]
> The FATAL flaw of online voting systems (and one for which there is *no* > technological solution whatsoever) isn't DDoS, identification, or > communications security. it's very simply that there is *no* way to > ensure that the voter isn't voting under duress... with a gun held to > their head (figuratively, or even literally). . . . One has to wonder real a threat this might be. Yes, it's a nice movie of the week plot but it really doesn't make a lot of sense in that it influences exactly one vote which would rarely be decisive. I suppose an employer might use coercion to force their entire workplace to vote one way or another but, again, can it be done in numbers significant enough to influence even a middling size election? I rather doubt it. > No way to make sure the voter isn't selling their vote (drugs, sex, > alcohol, money...). . . . While this is certainly execrable, again, can it be done on a large enough scale to dictate a result? It makes more sense to simply control the way the votes are counted or the machines which record them. That seems like a more clear and present danger than influencing votes in onesies and twosies. And that's a RISK that's not necessarily restricted to online or absentee/mail voting.
Adam Liptak, *The New York Times*, 25 Jun 2014 Supreme Court Says Phones Can't Be Searched Without a Warrant http://www.nytimes.com/2014/06/26/us/supreme-court-cellphones-search-privacy.html Washington—In a major statement on privacy rights in the digital age, the Supreme Court on Wednesday unanimously ruled that the police need warrants to search the cellphones of people they arrest. Chief Justice John G. Roberts Jr., writing for the court, said the vast amount of data contained on modern cellphones must be protected from routine inspection. The old rules, Chief Justice Roberts said, cannot be applied to “modern cellphones, which are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.'' The courts have long allowed warrantless searches in connection with arrests, saying they are justified by the need to protect police officers and to prevent the destruction of evidence. But Chief Justice Roberts said neither justification made much sense in the context of cellphones. On the other side of the balance, he said, is the data contained on the typical cellphone. Ninety percent of Americans have them, he wrote, and they contain “a digital record of nearly every aspect of their lives—from the mundane to the intimate.'' Even the word `cellphone' is a misnomer, he said. “They could just as easily be called cameras, video players, Rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps or newspapers,'' he wrote. Chief Justice Roberts acknowledged that the decision would make law enforcement more difficult. “Cellphones have become important tools in facilitating coordination and communication among members of criminal enterprises, and can provide valuable incriminating information about dangerous criminals. Privacy comes at a cost.'' The court heard arguments in April in two cases on the issue, but issued a single decision. The first case, Riley v. California, No. 13-132, arose from the arrest of David L. Riley, who was pulled over in San Diego in 2009 for having an expired auto registration. The police found loaded guns in his car and, on inspecting Mr. Riley's smartphone, entries they associated with a street gang. A more comprehensive search of the phone led to information that linked Mr. Riley to a shooting. He was later convicted of attempted murder and sentenced to 15 years to life in prison. A California appeals court said neither search had required a warrant. The second case, United States v. Wurie, No. 13-212, involved a search of the call log of the flip phone of Brima Wurie, who was arrested in 2007 in Boston and charged with gun and drug crimes. The federal appeals court in Boston last year threw out the evidence found on Mr. Wurie's phone. News organizations, including The New York Times, filed a brief supporting Mr. Riley and Mr. Wurie in which they argued that cellphone searches can compromise news gathering. The Justice Department, in its Supreme Court briefs, said cellphones are not materially different from wallets, purses and address books. Chief Justice Roberts disagreed: “That is like saying a ride on horseback is not materially indistinguishable from a flight to the moon.''
NPR via NNSquad http://www.npr.org/2014/06/25/325608295/high-court-ruling-on-search-warrants-is-broader-than-cellphones?ft=1&f01 "This is not just a phone case," said Mark Eckenwiler, former deputy chief of the Computer Crime Section at the Department of Justice. "This is really a digital evidence case." The decision applies to laptops, tablets and all manner of electronic devices. This was a pretty sweeping decision, leaving little wiggle room for law enforcement. "There's not a lot of ambiguity there," he said.
Kim Zetter, *WiReD*, Jun 24 2014 (via Dave Farber) <http://www.wired.com/2014/06/remote-control-system-phone-surveillance/> Newly uncovered components of a digital surveillance tool used by more than 60 governments worldwide provide a rare glimpse at the extensive ways law enforcement and intelligence agencies use the tool to surreptitiously record and steal data from mobile phones. The modules, made by the Italian company Hacking Team, were uncovered by researchers working independently of each other at Kaspersky Lab in Russia and the Citizen Lab in Canada, who say the findings provide great insight into the trade craft behind Hacking Team's tools. The new components target Android, iOS, Windows Mobile, and BlackBerry users and are part of Hacking Team's larger suite of tools used for targeting desktop computers and laptops. But the iOS and Android modules provide cops and spooks with a robust menu of features to give them complete dominion over targeted phones. They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location. The Android version can qlso enable the phone's Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner's suspicion. “Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target—which is much more powerful than traditional cloak and dagger operations,'' notes Kaspersky researcher Sergey Golovanov in a blog post about the findings. It's long been known that law enforcement and intelligence agencies world wide use Hacking Team's tools to spy on computer and mobile phone users -- including, in some countries, to spy on political dissidents, journalist s and human rights advocates. This is the first time, however, that the modules used to spy on mobile phone users have been uncovered in the wild and reverse-engineered. Kaspersky and Citizens Lab discovered them after developing new methods to search for code fragments and digital certificates used by Hacking Team's tools. The modules work in conjunction with Hacking Team's core surveillance tool, known as the Remote Control System, which the company markets under the names Da Vinci and Galileo. [...]
Barclays Bank is rolling out voice biometrics technology at its call centres that recognises customers when they start talking. Customers who call Barclays currently have to share their passcodes or 16-digit debit card numbers in order to verify themselves. With the new system, customers can choose to have their voice recorded and held on file by the bank. Then, when the call to access their account, they engage in a few seconds of conversation with a staffer. During that time, Nuance FreeSpeech voice biometrics technology is used to compare the customer's voice to their unique voiceprint on file, and silently signals to the employee when the customer's identity has been verified. Barclays began using the Nuance system at its wealth management arm last year but is set to introduce it for normal retail customers early next year. Ashok Vaswani, chief executive, Barclays personal and corporate banking, told the Sunday Telegraph that the technology is "foolproof" and cuts the time it takes to verify customers from 90 seconds to 10 seconds. "Foolproof", eh? So that's all right, then. Being a fool, I can trust it implicitly. Odd, though, that my Nuance Dragon system still fails to recognise common words when I have been using it almost daily for nigh on two years. Barclays' system must be far, far superior.
How does Equifax obtain this sensitive and secret information? http://redtape.nbcnews.com/_news/2013/01/30/16762661-exclusive-your-employer-may-share-your-salary-and-equifax-might-sell-that-data?lite Quote: "With the willing aid of thousands of U.S. businesses, including many of the Fortune 500. Government agencies—representing 85 percent of the federal civilian population, including workers at the Department of Defense, according to Equifax—and schools also work with The Work Number. Many of them let Equifax tap directly into their data so the credit bureau can always have the latest employment information. In fact, these organizations actually pay Equifax for the privilege of giving away their employees' personal information." The story claims: "It's the biggest privacy breach in our time, and it's legal and no one knows it's going on," said Robert Mather, who runs a small employment background company named Pre-Employ.com. "It's like a secret CIA." BUT the story is wrong: the greatest privacy breach of our time is the collection, aggregation and sale of ALL health data (inside and outside the healthcare system by companies like IMS Health Holdings. IMS Health Holdings buys sells and trades personal health data of 500 million people (including electronic health records, prescriptions, claims data and health info in social media) with "100,00 health data suppliers covering 780,000 daily data feeds" to create "anonymous" longitudinal, real-time profiles it sells to "5,000 customers" including the US government. See: http://www.sec.gov/Archives/edgar/data/1595262/000119312514000659/d628679ds1.htm The health data broker industry sells far more damaging personal data than Equifax. Deborah C. Peel, MD, Founder and Chair, Patient Privacy Rights www.patientprivacyrights.org<http://www.patientprivacyrights.org/> http://patientprivacyrights.org/trust-framework/ (512) 732-0033
Woody Leonhard | InfoWorld, 24 Jun 2014 Google's invitation-only Domains name registration service works a lot like the old one but raises new questions about privacy and ad scraping http://www.infoworld.com/t/internet-privacy/privacy-concerns-loom-over-new-google-domain-registration-service-244927
http://www.infoworld.com/d/security/two-months-later-300k-servers-still-vulnerable-heartbleed-244850 Ian Paul, PC World/InfoWorld, 23 Jun 2014 A large number of websites are still vulnerable to the OpenSSL flaw, but it's unlikely they'll be patched anytime soon. selected text: Currently, there are about 309,197 systems still vulnerable to Heartbleed, which is a slight drop from the 318,239 Graham discovered in early May. The slow drop indicates that Heartbleed patching has more or less ended. As widespread and devastating as Heartbleed is, it's easily one of the scariest security stories of 2014—and doubly so if hundreds of thousands of servers are likely to remain vulnerable for the foreseeable future.
Andy Greenberg, *WiReD News* 24 Jun 2014, via ACM TechNews, June 25, 2014 University of Massachusetts (UMass) Lowell researchers have developed software that uses video from wearable devices such as Google Glass and smartwatches to read four-digit PIN codes typed onto an iPad from almost 10 feet away, and from almost 150 feet with a high-definition camcorder. The software involves a custom-coded video-recognition algorithm that tracks the shadows from finger taps and could recognize the codes even when the video did not capture any images on the target devices' displays. "I think of this as a kind of alert about Google Glass, smartwatches, all these devices," says UMass Lowell professor Xinwen Fu. "If someone can take a video of you typing on the screen, you lose everything." The researchers found that Google Glass identified the four-digit PIN from three meters away with 83 percent accuracy, while webcam video revealed the code 92 percent of the time. The software also can identify passcodes even when the screen is unreadable based on the iPad's geometry and the position of the user's fingers. The software maps an image of the angled iPad onto a "reference" image of the device, then looks for the abrupt down and up movements of the dark crescents that represent the fingers' shadows. Fu plans to present the findings with his students at the Black Hat security conference in August. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-bad3x2b4c3x060206&
http://www.pcworld.com/article/2367400/researchers-expect-large-wave-of-rootkits-targeting-64bit-systems.html selected text: Following a downward trend during the past two years, the number of new rootkit samples rose in the first quarter of this year to a level not seen since 2011, according to statistics from security vendor McAfee. "The roadblocks set in place by 64-bit systems now appear to be mere speed bumps for well-organized attackers, who have already found ways to gain entry at the kernel level," the McAfee researchers said.
> A more definitive way of customizing Firefox is to simply download the > source code from ftp.mozilla.org, and change it however you wish. I find this mantra in the Open Sores sales pitch particularly annoying: everyone capable of actually doing that knows that a) The amount of effort required to understand (and subsequently change in a meaningful and non-disruptive way) somebody else's code is 80% of that of writing your own from scratch. With a codebase size of mozilla's that a plain crack pipe dream. b) Even if you can fix the code, you'll still have to build it. With something size and complexity of firefox I bet it's not entirely trivial even on freenix where you can fetch the "source package" and all its pre-requisites. On systems without source package management, with for-pay development tools, etc., it's basically not worth the trouble. So who are you preaching to: those who can't do it or those who know why they can't do it? Dimitri Maziuk, Programmer/sysadmin BioMagResBank, UW-Madison http://www.bmrb.wisc.edu
Please report problems with the web pages to the maintainer