The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 24

Weds 4 September 2014

Contents

Squirrels are now performing coordinated attacks
Jerry Saltzer
Software errors in Galileo Satellites
Debora Weber-Wulff
Computer Glitch Voids 17K Red Light Tickets in NJ
Monty Solomon
Stars' Nude Photos
Zeb Eckert and others via Gabe Goldberg
Bar exam software failure sets off wave of lawsuits
Gabe Goldberg
Hackers Build a Skype That's Not Controlled by Microsoft
Klint Finley
Salem College professor Spring-Serenity Duvall banned students from e-mailing and got more engagement from class.
Carl Straumsheim
Staged Blackout Drills
Dick Mills
JPMorgan and Other U.S. Banks Are Hit by Hackers
*TheNYTimes*
JPMorgan Hack Spanned Months Via Multiple Flaws
Blookberg via Henry Baker
An Iranian Grand Ayatollah Issues Fatwa Stating High-Speed Internet is Sharia
Lauren Weinstein
California Governor signs law requiring a kill switch on smartphones
Monty Solomon
Another Target Credit Card problem
Tim Duncan
Home Depot investigates potential hacking of credit card data
Robert Lemos via Monty Solomon
Long memories can be a pain
Paul Wallich
"CryptoWall held over half a million computers hostage, encrypted 5 billion files"
Lucian Constantin via Gene Wirchenko
"Reconnaissance code on industrial software site points to watering hole attack"
Lucian Constantin via Gene Wirchenko
Re: zero-day bounties
jericho
Re: Feds warn first responders of dangerous hacking tool
Scott Miller
Re: Why Internet voting is a very dangerous idea
Ken Shotting
John Stanley
Mike Jeays
Jay Ashworth
Re: Regarding Tesla's cash cow
Ivan Jager
Anthony
Re: Stealing Encryption Keys Through the Power of Touch
Anthony Thorn
Paper on novel technologies and slow diffusion of information
Andrew Odlyzko
Quantum Networking book published
Rodney Van Meter
Info on RISKS (comp.risks)

Squirrels are now performing coordinated attacks

Jerry Saltzer <Saltzer@mit.edu>
Sat, 30 Aug 2014 21:31:27 -0600
It has been a while since a report appeared in RISKS of a squirrel chewing
through a communication cable [*]. To relieve the monotonous drumbeat of
cyberattack breaches, here is a *two*-squirrel report:

At our summer place in the central Idaho mountains, a little after 9:00
a.m. on August 8, 2014, Internet service on our Frontiernet DSL line went
dead.  A couple of pings established that the DSL line was OK and the
central office was still alive.  Our next-door neighbor knocked on the door
and asked if we had Internet service, since hers was out, too.  I grabbed my
iPad, which has Internet service on AT&T Mobile, and found that it was
incommunicado.  The neighbor checked her iPhone, which has Internet service
on Verizon Wireless, and it was dead, too.  Then a second neighbor came by
and asked why her cable TV just went dark.

A local hamburger joint put up a sign saying "cash only", since they
couldn't authenticate credit cards or validate checks, and the nearby
hospital reverted to paper procedures, since the dedicated circuit to their
main office 100 miles to the south was out. Then, around 5 p.m.,
communication services started working again.

Syringa Networks, the regional ISP that links Internet points of presence
and provides commercial communication services for this area, said that a
squirrel had gnawed through a fiber-optic cable in Weiser, Idaho. By itself
that should have caused only momentary trouble, since Syringa backs up that
cable, running up the Weiser river valley, with a second fiber-optic link
running up the Payette river valley, 20 miles to the east.  But, according
to Syringa, a second squirrel chewed through the Payette river valley
fiber-optic cable near Hidden Springs, Idaho.  The result was that a
120-mile strip of western Idaho, from Horseshoe Bend to Whitebird, nestled
between Hells Canyon and the central Idaho mountains, was cut off from the
world.  Internet service, cable TV service, and dedicated communication
lines were all out of service.  Interestingly, landline POTS seemed not to
be affected, probably because those services are still using old-fashioned
microwave relay towers rather than chewable fiber links.

More details:  Squirrel Took A Mega Byte
  http://livinginthenews.com/article/2051?p=3

  [* The most recent item was Squirrelcide at San Jose Airport (Dave
     Stringer-Calvert, RISKS-20.87, 14 Apr 2000).  Perhapas the squirrels
     have gotten smarter.  PGN adds: I'm surprised the local hamburger joint
     did not put up a sign: Special, today only, one squirrelburger.  First
     come, first served.]


Software errors in Galileo Satellites

Debora Weber-Wulff <weberwu@htw-berlin.de>
Fri, 29 Aug 2014 21:23:06 +0200
Just an article in English about the problem:

http://en.ria.ru/world/20140828/192413515/Galileo-Satellites-Incident-Likely-Result-of-Software-Errors.html


Computer Glitch Voids 17K Red Light Tickets in NJ

Monty Solomon <monty@roscom.com>
Sat, 30 Aug 2014 09:51:01 -0400
http://www.nbcnewyork.com/news/local/New-Jersey-Red-Light-Camera-Tickets-Voided-Computer-Glitch-272196701.html


Stars' Nude Photos

Gabe Goldberg <gabe@gabegold.com>
Tue, 02 Sep 2014 00:01:40 -0400
Stars take nude photos, load them to cloud. Cloud hacked, photos posted
widely. Stars shocked, outraged, sue. Go figure...

Zeb Eckert, Bloomberg, 1 Sep 2014
<http://bloom.bg/1tpoenQ>

Apple's security standard being under scrutiny after reports that hackers
used the iCloud service to illegally access nude photos of celebrities in
the U.S. and UK.
http://bloom.bg/1B9bP8O

  [See also Andy Greenberg, `Police Tool Used to Steal Nude Pics From
  iCloud', *WiReD.com*, 2 Sep 2014 noted by Henry Baker, with the back
  story at considerable length.  PGN]
    https://www.wired.com/2014/09/eppb-icloud/

  [See also Emily Wright, 'Leak' of Celebrities' Personal Property a
  Despicable, Eye-Opening Crime, *The Boston Globe*. 2 Sep 2014,  PGN
    http://www.boston.com/entertainment/celebrity/2015/09/09/leak-celebrities-personal-property-despicable-crime/BzurbE727AJHdTQcSlrvKK/story.html

  [See also Sean Gallagher, Apple confirms celebrities' accounts breached in
 "highly targeted" attack, Ars Technica, 2 Sep 2014.  PGN]
    http://arstechnica.com/tech-policy/2014/09/apple-confirms-celebrities-accounts-breached-in-highly-targeted-attack/


Bar exam software failure sets off wave of lawsuits

Gabe Goldberg <gabe@gabegold.com>
Mon, 01 Sep 2014 23:43:13 -0400
PORTLAND, Ore. (AP via San Jose Mercury News)—Law students taking the bar
exam have it tough: Three years hitting the books. Hundreds of thousands of
dollars in tuition. And all of it, potentially wasted with a few failed
attempts at the dreaded state-administered test.

So in late July, with one day of the grueling session behind them, thousands
of law students were surprised to find that they couldn't upload their
answers using the software they purchased from Florida-based ExamSoft
Worldwide Inc.

Third-year law students with mountains of debt were perhaps not the best
crowd to tick off.

They sued. And they sued. And they sued.

http://www.mercurynews.com/education/ci_26321759/bar-exam-software-failure-sets-off-wave-lawsuits

Software critical for deadline-driven test submission required for bar exam
-- updated just before crush of seasonal test taking. What could go wrong?

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


Hackers Build a Skype That's Not Controlled by Microsoft (Klint Finley via Dave Farber)

*Dewayne Hendricks* <dewayne@warpspeed.com>
Monday, 1 Sep 2014
Klint Finley, Out in the Open, 1 Sep 2014
<http://www.wired.com/2014/09/tox/>

The web forum 4chan is known mostly as a place to share juvenile and, to put
it mildly, politically incorrect images. But it's also the birthplace of one
of the latest attempts to subvert the NSA's mass surveillance program.

When whistleblower Edward Snowden revealed that full extent of the NSA's
activities last year, members of the site's tech forum started talking about
the need for a more secure alternative to Skype. Soon, they'd opened a chat
room to discuss the project and created an account on the code hosting and
collaboration site GitHub and began uploading code.

Eventually, they settled on the name Tox, and you can already download
prototypes of the surprisingly easy-to-use tool. The tool is part of a
widespread effort to create secure online communication tools that are
controlled not only by any one company, but by the world at large—a
continued reaction to the Snowden revelations. This includes everything from
instant messaging tools to email services.

It's too early to count on Tox to protect you from eavesdroppers and spies.
Like so many other new tools, it's still in the early stages of development
and has yet to receive the scrutiny that other security tools, such as the
instant messaging encryption plugin Off The Record has. But it endeavors to
carve a unique niche within the secure communications ecosystem.

Up to Your Imagination

The main thing the Tox team is trying to do, besides provide encryption, is
create a tool that requires no central servers whatsoever—not even ones
that you would host yourself. It relies on the same technology that
BitTorrent uses to provide direct connections between users, so there's no
central hub to snoop on or take down.

There are other developers trying to build a secure, peer-to-peer messaging
systems, including Briar and Invisible.im, a project co-created by HD Moore,
the creator of the popular security testing framework Metasploit.  And there
are other secure-centric voice calling apps, including those from Whisper
Systems and Silent Circle, which encrypt calls made through the traditional
telco infrastructure. But Tox is trying to roll both peer-to-peer and voice
calling into one.

Actually, it's going a bit further than that. Tox is actually just a
protocol for encrypted peer-to-peer data transmission.  “Tox is just a
tunnel to another node that' encrypted and secure,'' says David Lohle, a
spokesperson for the project. “What you want to send over that pipe is up
to your imagination.'' For example, one developer is building an e-mail
replacement with the protocol, and Lohle says someone else is building an
open source alternative toBitTorrent Sync.  ...  [snip]


Salem College professor Spring-Serenity Duvall banned students from e-mailing and got more engagement from class. (Carl Straumsheim)

Monty Solomon <monty@roscom.com>
Wed, 3 Sep 2014 12:14:47 -0400
Carl Straumsheim, Don't E-mail Me, 27 Aug 2014
http://www.slate.com/articles/life/inside_higher_ed/2014/08/salem_college_professor_spring_serenity_duvall_banned_students_from_emailing.html
https://www.insidehighered.com/news/2014/08/27/sake-student-faculty-interaction-professor-bans-student-email


Staged Blackout Drills

Dick Mills <dickandlibbymills@gmail.com>
Fri, 29 Aug 2014 14:27:03 -0400
Archives of The Risks Forum contain numerous indignant accounts of troubles
caused when the electric power went out unexpectedly.  Today, most of the
discussion depicts apocalyptic scenes to follow cyber attacks on the power
grid.  Listen to those stories and you may join the stampede to spend
hundreds of billions making it more secure.

Never mind that 100% reliability and 100% cyber security are unattainable.
Never mind that the goal of terrorism is to make us fearful and to induce us
to change our society and priorities.  Never mind that every year the public
does not experience a widespread blackout, that they unwittingly assume that
elevators, cell phones and such will never fail, thus increasing the
consequences of a real failure.

I am of the opinion that the power grid is already too reliable for our own
good, and that massive spending on grid security would actually be
counterproductive.  I'll explain.

In parts of India, the power goes out as often as five times per day.  Local
businesses and the people have adapted to the point where a blackout is
hardly noticed.  Life and commerce continue uninterrupted.  Some have their
own backup power.  Some find other ways do adapt.  No terrorist could scare
those people by the threat of a blackout.

Firemen hold weekly drills.  Pilots and nuclear plant operators train
extensively to handle emergencies making.  Indeed, all professionals
expected to deal with unexpected emergencies sharpen and test their skills,
and their equipment via practice.  Even as children, we participated in
school fire drills.

Why not sharpen and train consumers and businesses in analogous ways via
staged blackouts?  The short answer is that the mere thought is anathema to
the culture of the electric utility business.  These people dedicate their
lives to keeping the lights on always to the best of their abilities.

We could design a series of staged blackout drills of varying scope and
duration all the way up to a nationwide surprise blackout.  Periodic
refresher drills could maintain readiness.

If power grid security ceased to become a source of fear and a threat to the
economy, then its appeal as a terrorism target would vanish.  We could spend
those hundreds of billions on something else.  We might also become more
flexible in living with a grid dominated by unpredictable solar and wind
sources. It is hard tor me to think of a way we would not be better off.

Is there really a good reason to not do as I suggest?

Dick Mills, Sailing Vessel Tarwathie


JPMorgan and Other U.S. Banks Are Hit by Hackers

Monty Solomon <monty@roscom.com>
Fri, 29 Aug 2014 23:09:20 -0400
In a sophisticated cyberattack, the hackers infiltrated the banks' networks,
siphoning off gigabytes of data, including checking and savings account
information.

http://bits.blogs.nytimes.com/2014/08/28/daily-report-jpmorgan-and-other-u-s-banks-are-hit-by-hackers/


JPMorgan Hack Spanned Months Via Multiple Flaws

Henry Baker <hbaker1@pipeline.com>
Fri, 29 Aug 2014 14:00:58 -0700
FYI—Can anyone besides Rep. Mike Rogers still seriously believe in NSA's
NOBUS conceit: "Nobody But Us" ??

It's time to put *all* hands on the *defensive* deck, and remove all legal
authority for U.S. Govt agencies to *weaken* cyberdefenses.  "People who
live in glass houses shouldn't throw stones", and the U.S. lives in the
house with the most glass of all.

JPMorgan Hack Spanned Months Via Multiple Flaws
Jordan Robertson and Michael Riley 2014-08-29
http://www.bloomberg.com/news/2014-08-29/jpmorgan-hack-said-to-span-months-via-multiple-flaws.html

Hackers burrowed into the databanks of JPMorgan Chase & Co. and deftly
dodged one of the world's largest arrays of sophisticated detection systems
for months.

The attack, an outline of which was provided by two people familiar with the
firm's investigation, started in June at the digital equivalent of
JPMorgan's front door, exploiting an overlooked flaw in one of the bank's
websites.  From there, it quickly developed into any security team's worst
nightmare.

The hackers unleashed malicious programs that had been designed to penetrate
the corporate network of JPMorgan—the largest U.S. bank, which had vowed
two months before the attack began to spend a quarter-billion dollars a year
on cybersecurity.  With sophisticated tools, the intruders reached deep into
the bank's infrastructure, silently siphoning off gigabytes of information,
including customer-account data, until mid-August.

Only then did a JPMorgan team conducting a routine scan trigger an alarm.
They discovered a breach, now being traced and evaluated, which
investigators believe originated in Russia. [...]

  [Long item truncated for RISKS.  PGN]


An Iranian Grand Ayatollah Issues Fatwa Stating High-Speed Internet is against Sharia

Lauren Weinstein <lauren@vortex.com>
Sun, 31 Aug 2014 20:33:46 -0700
  A Grand Ayatollah in Iran has determined that access to high-speed and 3G
  Internet is "against Sharia" and "against moral standards." In answer to a
  question published on his website, Grand Ayatollah Nasser Makarem Shirazi,
  one of the country's highest clerical authorities, issued a fatwa, stating
  "All third generation [3G] and high-speed Internet services, prior to
  realization of the required conditions for the National Information
  Network [Iran's government-controlled and censored Internet which is under
  development], is against Sharia [and] against moral and human standards."
    Iran Human Rights via NNSquad
    http://www.iranhumanrights.org/2014/08/makarem-internet/

Comcast, Verizon, AT&T, Time Warner Cable, and other dominant ISPs are
now in a bidding war to hire him as a consultant and board member.


California Governor signs law requiring a kill switch on smartphones

Monty Solomon <monty@roscom.com>
Fri, 29 Aug 2014 23:11:21 -0400
The law requires smartphones sold in California to include antitheft
technology, a feature that lawmakers hope will lead to a cool down in phone
theft, now the hottest urban crime.

http://bits.blogs.nytimes.com/2014/08/25/california-governor-signs-law-requiring-a-kill-switch-on-smartphones/


Another Target Credit Card problem

Tim Duncan <tim@duncan.cx>
Fri, 29 Aug 2014 22:50:32 -0400
Details are still coming out, but it appears Target has another Credit Card
security issue. While the headlines are calling it a "breach" the articles
describe the security issue as someone figuring out the numbering sequence
Target uses for their REDcard and then making his own fake cards which he
was able to use to purchase over $200,000 worth of merchandise at Target
stores in California.

http://www.news10.net/story/news/local/stockton/2014/08/29/target-credit-card-breach-investigation-search-warrant/14785085/

http://blog.credit.com/2014/08/another-target-data-breach-94511/


Home Depot investigates potential hacking of credit card data (Robert Lemos)

Monty Solomon <monty@roscom.com>
Wed, 3 Sep 2014 12:04:05 -0400
Robert Lemos, Ars Technica, 2 Sep 2014
Home-supply giant is evaluating whether thieves have stolen the information.
http://arstechnica.com/security/2014/09/problems-at-home-home-depot-investigates-potential-breach/

  [See also Path of Stolen Credit Cards Leads Back to Home Depot,
  *TheNYTimes*, 4 Sep 2014:
  Bank and computer security company employees and law enforcement officials
  are tracing the track taken by the latest batch of stolen cards.  PGN]
  http://www.nytimes.com/2014/09/04/technology/path-of-stolen-credit-cards-leads-back-to-home-depot.html


Long memories can be a pain

Paul Wallich <pw@panix.com>
Tue, 02 Sep 2014 17:05:16 -0400
I've had the same primary email address for almost 25 years, which is good
in some ways and bad in others. Lately I discovered that one of the bad
things is that I can't send email to the list maintained by my son's
school. You see, it's run through Google Groups, and I checked a preference
box to prevent anyone but me from making me a member of a Google Group. Back
in the late 1990s, when accessing usenet via Google Groups got you
autosubscribed if you didn't check that box.

So why don't I just uncheck that box? Because I never made a Google account
attached to that email address (or at least the panopticon has no record of
one) and you have to log in to your Google account to change your
preferences for things like that. So 15 years later I'm locked out of a
completely different service that just happens to be run on some of the same
infrastructure.

It's fairly easy for me to fix this by ginning up another email address and
getting it properly added to the group, but it does make me wonder about 20
or 40 years hence, when the Internet is still running bits of bots from the
90s, all the old interfaces have been changed a dozen times over, and
databases have been migrated until no one active even know what some of the
fields mean. Simply forgetting people's opt-in or opt-out choices after a
certain statute of limitations seems wrong, but keeping them forever may not
be such a good idea either.

Or maybe we just shouldn't keep our email addresses for that long.


"CryptoWall held over half a million computers hostage, encrypted 5 billion files" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 02 Sep 2014 15:17:54 -0700
Lucian Constantin, InfoWorld, 29 Aug 2014
The cyber criminals behind this dangerous ransomware program have
received $1 million so far, researchers from Dell SecureWorks said
http://www.infoworld.com/d/security/cryptowall-held-over-half-million-computers-hostage-encrypted-5-billion-files-249460


"Reconnaissance code on industrial software site points to watering hole attack" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 02 Sep 2014 15:22:31 -0700
Lucian Constantin, InfoWorld, 02 Sep 2014
Attackers are using a sophisticated Web-based tool to gather
information on potential targets, researchers from AlienVault said
http://www.infoworld.com/d/security/reconnaissance-code-industrial-software-site-points-watering-hole-attack-249563

opening text:

Attackers have rigged the website of an industrial software firm with a
sophisticated reconnaissance tool, possibly in preparation for attacks
against companies from several industries.


Re: zero-day bounties (Baker, RISKS-28.23)

jericho <jericho@attrition.org>
Thu, 28 Aug 2014 22:01:01 -0500 (CDT)
I am curious if you posted this somewhere else and the URL wasn't included,
or if this is the entirety of your argument? As it stands, you are throwing
out some general theories and ideas, but not making any direct comparisons
or arguments that back your subject and first line.

Since the vendors pay for the bounty, introducing bugs into their own code
is counterproductive entirely. That means the basis of the Cobra Effect does
not work as a comparison.

Perverse Incentive is interesting, but the Wikipedia examples largely don't
track either (e.g. the rats, which is a throwback to cobras). The
palaeontologist/China example might, but ultimately the vendors decide what
to pay. Even if a researcher abstracts the issue out, the vendor can simply
not pay 'per vuln' if they don't agree with the abstraction.

Finally, the Moral Hazard theory doesn't seem to apply here. What 'risk' is
there on either side of the bounty program, in that context?

I am not outright disagreeing with your theory, as I feel it is untested in
the grand scheme. That said, I also don't think you make any real arguments,
let alone convincing ones, that back your original notion.

I'd like to hear more if you have time or have written about this elsewhere.


Re: Feds warn first responders of dangerous hacking tool (Seam Gallagher. RISKS-28.23)

"Scott Miller" <SMiller@unimin.com>
Fri, 29 Aug 2014 08:16:59 -0400
Patently ridiculous. I use "site:" on a regular basis so I can use Google to
actually find items offered on e-commerce sites whose local indexing and
search functions are hopelessly broken. I created a WGET application several
years ago so that we could find out that specific Dell computer models were
going end-of-life at a time when our Dell reps couldn't be bothered to
inform us. If this was a serious issue, why wouldn't DHS push Google to
cease honoring those parameters (I am NOT advocating this)? Oh, wait, that
would stop NSA, DHS, and state and local authority from milking them for
all they are worth...

Re: Henry Baker's economic arguments against mandatory "green" electrical
power: I believe that electrical utilities in the US do a daily "budget" for
power generation, based on forecast weather and other demand factors, rather
than change the supply to match demand in real time, which is the
implication I got from his post. Other than that, I think his observations
on the subject are 100% on target.


Re: Why Internet voting is a very dangerous idea

<kashotting@verizon.net>
Fri, 29 Aug 2014 19:26:15 -0500 (CDT)
But the old fashioned methods are also effective.

"Groups claim voter fraud in Maryland, Virginia.  More than 150 people may
have double voted in 2012 election." ... "The advocacy groups discovered
more than 4,300 duplicate voting registrations in a review of records in
both states."

http://www.wbaltv.com/politics/groups-claim-voter-fraud-in-maryland-virginia/27795574#!bMxgHp


Re: Why Internet voting is a very dangerous idea (Ambinder. RISKS-28/23)

John Stanley <stanley@peak.org>
Fri, 29 Aug 2014 12:47:33 -0700 (PDT)
> Unless you're one of those ornery folks who believe that only politically
> engaged Americans should vote,

Thanks. I'll take that as a compliment. If the only response to the question
"why should people who don't care enough to know what the election is about
be encouraged to vote in it" is to call names, then I know the correct
answer is, indeed, "they should not".

> Voter fraud is quite rare, and voting fraud—an organized effort to
> illegally disrupt elections—is hard to organize.

You must be joking. Every election won by a Republican in the last twenty
years has been based on voter fraud, according to the losers.  [Before
that,] the Daley machine in the city of Chicago kept control of city
politics by emptying the graveyards and reminding the political faithful to
"vote early, vote often" on election day.

Hard to organize? That's why there are political organizing groups. They
specialize in, of all things, political organizing. That includes dealing
with how to get people "out to vote", even if that requires a bus from a
suburb.

> A majority of voters regularly endorse the idea.

The results of a poll may tell you that. The result of a poll also said that
Dewey defeated Truman. What was the actual question being asked, and who
asked it to what group? A majority of voters in some places also passed laws
against same sex marriage. Using "a majority of voters" to determine what
the right way to vote is is called "cherrypicking".

> It's hard to steal elections conducted in person or with ballots printed
> on something that isn't made up of invisible electronic bits. It would be
> much easier to steal, alter, or influence elections that are conducted
> online.

It is hardER to steal a physical election, perhaps, but hard in absolute
terms? Again, you're joking.

> ... unless you somehow steal paper ballots in advance and treat them with
> magic disappearing ink that would...actually, I can't come up with even a
> fanciful way for an election using optically scanned ballots to be stolen
> or fudged on a massive scale.

It doesn't take using magic ink, all it takes is misplacing a few boxes of
ballots from key precincts. What doesn't get counted doesn't count for the
opposing candidate.

One of my parents helped supervise ballot counting for our county for many
years. Part of the training included how to detect a ballot handler who was
marking ballots while allegedly counting them. For example, unfolding the
ballot and smoothing it out while using a bit of pencil lead held onto a
finger by a band-aid to mark, or just void, the ballot. It takes very little
imagination to come up with that system and yet it can be very effective.

Or you can go to court to get the ballots thrown out for some reason that
didn't matter before the election (when objections to the process should
take place) but does now that they've been counted and you've lost. Some
military absentees don't have postmarks—throw them out. The Republican
county officials assisted their absentee voters by putting the voter id
number on the application for a ballot and the Democrat ones did not --
throw out the Republican absentees. (Or since we've counted the absentees
and they heavily favor the wrong candidate, throw them all out. Our guy
comes out ahead.)

Those are two real-life examples. Hanging chads and people trying to
determine the "intent of the voter" when someone was incapable of poking a
hole in a piece of paper... and the elderly Democrat voter who stood up in a
public meeting and declared that he had been voting for many years and
"didn't need no instructions". Apparently, sir, you did.

> With Internet voting, elections could be stolen even before they were
> held.

Yeah, why wait until during or after the election to commit fraud and steal
the election? Vote early, vote often, those bus seats are cramped but the
money is good... and you might even get a free lunch.


Re: Why Internet voting is a very dangerous idea

Mike Jeays <mike.jeays@rogers.com>
Thu, 28 Aug 2014 19:41:19 -0400
The article by Marc Ambinder makes a number of very valid points.

He does not mention the risk that many voters will be influenced by the fact
that someone else can look over their shoulder while they are voting. This
is impossible in a conventional voting booth, and this form of voting
privacy is an essential part of the process.

With voting at home, it will be all too easy for a spouse to influence his
or her partner's vote, and thereby in effect gain a second vote. Much the
same thing can happen in the workplace, with the employer or colleagues
having the same kind of influence. It may be direct or quite subtle, but it
deprives many voters of the freedom to vote how they choose with complete
privacy, which is an essential feature of any democracy.

This reason is in itself sufficient to ban Internet voting. Public voting
booths with only one person permitted in a booth, and a complete ban on
cameras in polling stations, is essential.


Re: Internet Voting: It's Even Worse Than That (Ambinder, RISKS-29.23)

Jay Ashworth <jra@baylink.com>
Mon, 1 Sep 2014 00:32:24 -0400 (EDT)
But in fact, that's too narrow a focus.

Researchers on the topic of electronic voting and vote counting, including
Rebecca Mercuri, Ph.D., will tell you—she does so, right here:

  http://www.notablesoftware.com/RMstatement.html

that *even if your Internet voting system is perfectly secure*, there are
well-known, and already used, attacks that it cannot protect against.

In fact, mail-in ballots are weak on this point already.

When you show up at the balloting location, they check that you are who you
say you are, to at least a reasonable degree of certainty, and then *an
entire room full of people watch you go into a booth alone*, and you don't
get a receipt?

So what?

So you can't prove you voted a certain way... which keeps vote-selling from
being a practical thing to do.  You think people won't buy votes?

Read history.

Nope; there is *no* way to do American Political Voting that does not
require the majority of voters to show up in person at public voting
locations, and still meets all the requirements we have determined over the
last 100 years such a plebiscite is *required* to meet.

Game over, Man.  Game over.

Jay R. Ashworth, Ashworth & Associates, St Petersburg FL  jra@baylink.com
http://www.bcp38.info  +1 727 647 1274


Re: Regarding Tesla's cash cow (Burstein, RISKS-28.23)

Ivan Jager <aij+@mrph.org>
Fri, 29 Aug 2014 15:45:51 -0400
danny burstein wrote:
> So Mr. Musk, where's my payoff for supplying the utilities with that big
> storage battery? Where's their handout to my community for the 1,000
> batteries, or 25 megawatt-hours, of storage? Why should your company and the
> utilities get all the payouts?

Do you actually supply the utilities with that big storage battery?  I'm not
finding any information about it on the Internet. Are you suggesting Tesla
is doing it behind your backs and not paying you back for the wear on your
battery? Or are you saying it is theoretically possible and therefore
automatically economically viable, so Tesla should do it and pay you back
for it?

Or have you actually done some analysis of the efficiencies of AC->DC,
battery charging, and DC->AC as well as voltage conversions and the cost of
wear on the battery as well as the inconvenience to some drivers of not
being able to drive as far as they expected when they get out of work, and
simply neglected to mention it? Assuming you commute to work in your Tesla
and power the office off of your battery, shouldn't it be your employer
paying you back for that energy since they now don't need to buy it from the
power company at peak rates?

>> "the 40,000 Tesla vehicles already on the US roads contain about
>> 3.3 gigawatts of storage capacity..."
>
> Wrong unit.  If they were gasoline-fueled vehicles, he'd be describing
> the size of the fuel tank in gallons per hour.

Keep in mind it could also be the right units but wrong thing being
measured, but it certainly raised my eyebrows when I saw it. I believe you
are right since you should be able to get a lot more than 82.5kW out of a
sporty car.  (My old Jeep can theoretically produce 142kW.)  Still, an
average storage of 82.5kWH seems a bit high unless you assume 90% of the
cars sold are the 85kWH version (with the remaining 10% being the 60kWH
version), and that none of them have lost any storage capacity yet. (Or you
could have fewer base models and more battery wear.) Anyway, my point is,
I'd like some rock salt with that.

The question of actual power output of a fleet of Teslas is also
interesting, if perhaps straying off topic. Assuming the 85 kWH battery
packs are exactly capable of producing 310 kW (the power of the performance
motor) and the 60 kWH battery packs can exactly match the base 270 kW motor,
ignoring conversion losses and assuming the same 90/10 distribution as
above, then a fleet of 40,000 Teslas could produce 12 GW for 13 minutes then
11 GW for another 3 minutes. I would guess the batteries can't actually
sustain that output power. Can you drain a Tesla by flooring it for under 20
minutes? I would guess not, although it could be due to a speed governor.


Re: Regarding Tesla's cash cow (Burstein, RISKS-28.23)

Anthonys Lists <antlists@youngman.org.uk>
Fri, 29 Aug 2014 01:44:44 +0100
> Aside from the general economic issue, the big concern is that solar power
> is intermittent and can cut out at any second.

This repeated claim by the critics of renewable power really annoys me.

Yes it *might* be true. But ask Germany or Japan, where nuclear power really
did cut out with not much more notice.

Or ask Europe, where gas is likely to cut out with precious little notice
(if the Russians turn off the tap).

ALL power sources come with a risk of failure, and renewables are no more
*or* *less* reliable than conventional supplies. (What's annoying is that my
rooftop panels won't work without a functioning grid. So if my incoming
supply goes down, it takes out my generation too...)

The fact is, "statistical averaging" really works, and will give you a
pretty reliable supply, if you're not stupid enough to put all your solar
panels in one field. Solar panels don't work at night. That does tend to
apply to a whole country at a time, but it's regular and can be accounted
for. Solar panels do actually work tolerably well in cloudy conditions, and
it's pretty rare for a cloud to cover an entire country.

The application of a little statistics allows you to calculate the total
installed capacity of a country's solar panels, the actual average
generation, and how that generation fluctuates over time. And on a scale of
thousands of micro-installations scattered over hundreds of square miles,
the actual generation curve is likely to be a pretty close fit to the
calculated curve based on average daylight over the country.

Other points to bear in mind are cost of generation. One of the things
behind the adoption of solar panels in the UK is that they generate during
the day, when demand is highest. This means that we need fewer "peak supply
only" power stations which are expensive to run, reducing the amount of
generation the utility companies need.

Renewable energy is just one more option in the list of energy sources
available, but the propaganda against it gets very tiring when it should
just be another arrow (and a very useful one at that) in our quiver.


Re: Stealing Encryption Keys Through the Power of Touch (RISKS-28.23)

Anthony Thorn <anthony.thorn@atss.ch>
Fri, 29 Aug 2014 10:02:11 +0200
Hands off my PC!

Fascinating technology, which confirms the old rule that if the attacker can
get his or her hands on your computer it can be compromised one way or
another.  The most obvious way is to install a Trojan.


Paper on novel technologies and slow diffusion of information

Andrew Odlyzko <odlyzko@umn.edu>
Mon, 1 Sep 2014 18:35:03 -0500 (CDT)
Enclosed are the URL and abstract for my latest paper on technology and
financial manias.

Your assistance in the work that led to this paper is gratefully
acknowledged, although it may not have affected this manuscript, and may
only influence later ones.  Because a referee and an editor complained about
the inordinately long acknowledgments in a previous paper, I have now listed
you along with everyone else who assisted in this project on the web page

   http://www.dtc.umn.edu/~odlyzko/doc/mania-ack.html

Again, many thanks for your help, and if you have any comments on this work,
I would be delighted to receive them.

                   The forgotten discovery of gravity models
                 and the inefficiency of early railway networks
                http://www.dtc.umn.edu/~odlyzko/doc/mania09.pdf

                             Andrew Odlyzko
                             odlyzko@umn.edu
                     http://www.dtc.umn.edu/~odlyzko

                              ABSTRACT

The routes of early railways around the world were generally inefficient
because the prevailing doctrine of the time called for concentrating on
provision of fast service between major cities and neglect of local traffic.
Modern planners rely on methods such as the "gravity models of spatial
interaction," which show the costs of such faulty assumptions.  Such models
were not used in the 19th century.

The first formulation of gravity models is usually attributed to Henry Carey
in 1858.  This paper shows that a Belgian civil engineer, Henri-Guillaume
Desart, discovered them earlier, in 1846, based on the study of a unique and
extensive data set on passenger travel in his country.  His work was
published during the great Railway Mania in Britain.  Had the validity and
value of this contribution been recognized properly, the investment losses
of that gigantic bubble could have been lessened, and more efficient rail
systems in Britain and many other countries would almost surely have been
built.  This incident shows society's early encounter with the "Big Data" of
the day and the slow diffusion of economically significant information.  The
methods used in the study point to ways to apply methods of modern network
science to analyze information dissemination in the 19th century.

The above paper, as well as previous papers in this series, is available at:
           http://www.dtc.umn.edu/~odlyzko/doc/bubbles.html


Quantum Networking book published

Rodney Van Meter <rdv@sfc.wide.ad.jp>
Fri, 29 Aug 2014 08:04:25 -0400
Apologies for the bit of self-promotion, but I've just published a book
which some RISKS readers might find interesting, and are unlikely to hear
about through other channels.

Quantum computing and communications has a strong relationship to security
and cryptography.  The topic shows up here in RISKS occasionally.  (For what
it's worth, I've been a RISKS reader since the 1980s.)  My own background is
in computer systems (OS, architecture, storage), but for the last ten years
I've been working on architectures for quantum computers and quantum
networks.  ACM members may have seen my article with Clare Horsman in
Communications of the ACM; it was the cover article last October.

My book, _Quantum Networking_, has just been published by Wiley-ISTE, and is
targeted at people with my own interests and experiences, such as RISKS
readers.  It begins with no assumption of any background in quantum
mechanics or quantum computing, and carries the reader through the leading
edge of work on quantum repeater networks, which will hopefully evolve to
allow us to create and use quantum entanglement (Einstein's famous "spooky
action at a distance") at intercontinental distances.

The first of four parts covers basic concepts, including just enough on the
notation and mathematics, a chapter for the physicists on why large-scale
networks are hard, and quantum teleportation.  Linear algebra (multiplying
matrices, eigenvectors and eigenvalues), exponentiation of complex numbers,
and basic discrete probability—if you can handle these, you won't have
any trouble with the math.

The second part, covering applications of quantum networks, may be of the
most interest to RISKS readers.  One chapter covers the well-known quantum
key distribution (QKD) from the point of view of someone (me) who has
actually worked on IPSEC, and talks about the sets of circumstances in which
it actually provides useful enhancements to security.  Other cryptographic
primitives such as quantum secret sharing and quantum Byzantine generals
agreement are discussed.  There is a brief description of universal blind
quantum computation, which is a client-server computation in which the
server learns *nothing* about the computation it is performing on behalf of
the client, except an upper bound on its size.  Finally, the use of
entanglement as a shared reference frame allows applications like
long-baseline optical interferometry and clock synchronization.  I bring
together the little that has been studied about needed entanglement
generation rates and extend it to talk about both connection and network
performance requirements.

The third part covers mainstream research on lines of quantum repeater
links.  Quantum repeaters, unlike basic single-photon QKD, can in theory
operate over long distances by coupling links together into a path, without
requiring trust of the intermediate nodes.

The fourth part, on extending from lines of links to topologically complex
networks, represents the core of my own research.  It covers multiplexing
and resource management, routing, and our Quantum Recursive Network
Architecture, which sketches a path to a quantum Internetwork that can truly
scale to global levels.

I hope people in the community will find it of some use.  Feel free to send
me questions, comments, and errata.  Should someone here feel the urge, you
have my blessing, indeed encouragement, to write an independent, unbiased
review.  I'm sure PGN would publish it.

http://www.wiley.com/WileyCDA/WileyTitle/productCd-1848215371.html
available in hardback and various electronic formats.  I actually have not
seen the electronic formats, so I can't vouch for their fidelity in
reproducing equations and figures.

Please report problems with the web pages to the maintainer

Top