The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 35

Thursday 13 November 2014

Contents

"Docking with a non-cooperative object" - Salyut 7 rescue
Ed Ravin
Ontario Provincial Police Recommend Ending Anonymity on the Internet
Michael Geist
Fire Eye Map of Very Recent Cyber Attacks
Alister Wm Macintyre
Peeping: 73K unsecured security cameras thanks to default passwords
Network World
“Internet is a Dark and Ungoverned Space''
Sir Bernard Hogan-Howe) quoted via Chris Drewe
German spy agency seeks millions to monitor social networks outside Germany and crack SSL
IT World
Users can't tell Facebook from a scam
ZDNet via NNSquad
Major new Windows TLS bug
Ars Technica
Microsoft reports CRITICAL Vulnerability in Windows 7/2003 and later TLS implementations
MS via Bob Gezelter
ISPs reportedly interfering with customer use of STARTTLS
RFC 3207
Kapersky reports sophisticated attacks using forged certificates against targeted high-value individuals
Bob Gezelter
ISPs Removing Their Customers' Email Encryption
EFF
"Apple security checks may still miss iWorm malware"
Jeremy Kirk via Gene Wirchenko
"Google releases tool to test apps, devices for SSL/TLS weaknesses"
Lucian Constantin
"Device loss, not hacking, poses greatest risk to health care data"
Serdar Yegulalp
"Home Depot says 53 million email addresses compromised during breach"
Steve Ragan
The Home Depot Reports Findings in Payment Data Breach Investigation
Jim Reisert
"Tor Project mulls over how law enforcement took down hidden websites"
Jeremy Kirk
Ontogeny recapitulates Prodigy?
Ed Ravin
Fearing Bombs That Can Pick Whom to Kill
NYT via Matthew Kruk
The $11M Tool That Could Help Computers Write Their Own Code
Klint Finley
Galois report on Internet voting hack
PGN
Re: Risks of assuming votes are accurate
Dimitri Maziuk
Steven Jay Klein
Re: Online voting rife with hazards
John Sebes
No risk of overturning a Senator's election due to dead voters
Mark E. Smith
Re: "Have we gotten so pathetically lame that you need to be notified by an email that your laundry is done?"
Bob Frankston
Re: $750k Fine for exporting crypto
Amos Shapir
Info on RISKS (comp.risks)

"Docking with a non-cooperative object" - Salyut 7 rescue

Ed Ravin <eravin@panix.com>
Sun, 9 Nov 2014 11:04:53 -0500
How do you dock to a space station that has lost all power, when your
docking procedure relies on telemetry from the station's computer and the
expectation that the station will turn itself so its docking port faces the
incoming spacecraft?

"The following story happened in 1985 but subsequently vanished into
obscurity. [...] After extensive research, writer Nickolai Belakovski is
able to present, for the first time to an English-speaking audience, the
complete story of Soyuz T-13’s mission to save Salyut 7, a
fascinating piece of in-space repair history."

http://arstechnica.com/science/2014/09/the-little-known-soviet-mission-to-rescue-a-dead-space-station/


Ontario Provincial Police Recommend Ending Anonymity on the Internet (Michael Geist)

Lauren Weinstein <lauren@vortex.com>
Mon, 10 Nov 2014 11:52:16 -0800
MG via NNSquad
http://www.michaelgeist.ca/2014/11/ontario-provincial-police-recommend-ending-anonymity-internet/

  "Leaving aside the deeply troubling inference of requiring licences to the
  use the Internet in the same manner as obtaining a driver's licence, the
  police desire to stop online anonymity suggests that the OPP has not read
  the Supreme Court of Canada Spencer decision very carefully. If it had, it
  would know that not only does the court endorse a reasonable expectation
  of privacy in subscriber information, but it emphasizes the importance of
  online anonymity in doing so."

The OPP: A "Dangerous Idiots" Award Winner!


Fire Eye Map of Very Recent Cyber Attacks

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sun, 9 Nov 2014 18:42:15 -0600
Here is the map
http://www.fireeye.com/cyber-map/threat-map.html

Here is the explanation of the dots connected.
http://www.fireeye.com/blog/uncategorized/2014/10/a-threatening-threat-map.html

Some customers have given Fire Eye permission to share info about attacks
they experienced.  To mask customer identity, locations are represented as
the center of the country in which they reside. There is nothing in the data
that can be used to identify a customer or their origin city.

I became interested in Fire Eye, when a breached place was determined to
have purchased cyber security protection, then ignored alerts and warnings
about vulnerabilities at high risk of being exploited, and the security
companies were identified - had the breached place only acted on those
warnings, it would not have been breached.  Fire Eye was one of the cyber
protection outfits named.


Peeping: 73K unsecured security cameras thanks to default passwords

Lauren Weinstein <lauren@vortex.com>
Fri, 7 Nov 2014 10:17:06 -0800
Network World (via NNSquad)
http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html

  "There were lots of businesses, stores, malls, warehouses and parking
  lots, but I was horrified by the sheer number of baby cribs, bedrooms,
  living rooms and kitchens; all of those were within homes where people
  should be safest, but were awaiting some creeper to turn the "security
  surveillance footage" meant for protection into an invasion of privacy
  ... So many cameras are setup to look down into cribs that it was
  sickening; it became like a mission to help people secure them before a
  baby cam "hacker" yelled at the babies ... I'm unwilling to say how many
  calls I made, or else you might think I enjoy banging my head against the
  wall. It was basically how I spent my day yesterday. Too many times the
  location couldn't be determined, led to apartments, or the address wasn't
  listed in a reverse phone search. After too many times in a row like that,
  I'd switch to a business as it is much easier to pinpoint and contact ...
  One call was to a military installation. Since the view was of beautiful
  fall foliage, it seemed like a "safe" thing to find out if that camera was
  left with the default password on purpose.  Searching for a contact number
  led to a site that was potentially under attack and resulted in a "privacy
  error." Peachy. Then I had two things to relay, but no one answered the
  phone. After finding another contact number and discussing both issues at
  length, I was told to call the Pentagon! Holy cow and yikes! ...
  Managers, don't shoot the messenger; a person out to hurt you might dig
  into a Linux box with root, but no exploit or hacking is needed to view
  the surveillance footage of your unsecured cameras! It's exceedingly rude
  to yell or accuse a Good Samaritan of "hacking" you.  If your cameras are
  AVTech and admin is both username and password, or Hikvision "secured"
  with the defaults of admin and 12345, then you need to change that. Or
  don't and keep live streaming on a Russian site."

    [The usual countermeasure to this kind of attack is Peeping Duck.
    But ducking doesn't work very well.  PGN]


“Internet is a Dark and Ungoverned Space''

Chris Drewe <e767pmk@yahoo.co.uk>
Sat, 08 Nov 2014 21:42:02 +0000
There's a report in the newspaper of Sir Bernard Hogan-Howe, Metropolitan
(London) Police Commissioner, speaking at an international terrorism
conference in New York this week (Nov 6th).  Among other things, he's quoted
as saying "... the Internet is becoming a dark and ungoverned space in which
too little is done to guard against... murders and terrorists, and called on
technology firms to do more to provide online protection... the methods used
by offenders... are in danger of making the Internet anarchic... we cannot
allow parts of the Internet—or any communications platform—to become a
dark and ungoverned space... in a democracy, we cannot accept any space --
virtual or not—to become anarchic."  Not sure what he wants; a
Chinese-style firewall?

This is taken from the print version, which is a summary of two longer
on-line articles with slightly different words:

http://www.telegraph.co.uk/news/uknews/law-and-order/11215149/Bobbies-on-the-beat-will-help-tackle-terrorism-says-Met-chief.html

http://www.telegraph.co.uk/news/uknews/crime/11216093/Six-Britons-accused-of-running-online-drug-market-Silk-Road-2.0.html


German spy agency seeks millions to monitor social networks outside Germany and crack SSL

Lauren Weinstein <lauren@vortex.com>
Mon, 10 Nov 2014 23:31:22 -0800
IT World via NNSquad
http://www.itworld.com/article/2845603/german-spy-agency-seeks-millions-to-monitor-social-networks-outside-germany.html

  "The BND also wants to spend EUR4.5 million to crack and monitor HTTPS
  (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020
  some of that money may be spent [on] the black market to buy zero day
  exploits, unpublicized vulnerabilities that can be exploited by hackers."

Weren't the Germans complaining loudly about NSA? Oh well.


Users can't tell Facebook from a scam

Lauren Weinstein <lauren@vortex.com>
Thu, 6 Nov 2014 07:44:40 -0800
ZDNet via NNSquad
http://www.zdnet.com/users-cant-tell-facebook-from-a-scam-7000035440/

  "A new whitepaper from Bitdefender examined victims targeted in 850,000
  Facebook scams. It turns out Facebook's user experience makes it easy for
  scammers to exploit users."


Major new Windows TLS bug (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Tue, 11 Nov 2014 17:10:44 -0800
Ars Technica via  NNSquad
http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bites-all-versions-of-windows-patch-now/

  Microsoft has disclosed a potentially catastrophic vulnerability in
  virtually all versions of Windows. People operating Windows systems,
  particularly those who run websites, should immediately install a patch
  Microsoft released Tuesday morning.  The vulnerability resides in the
  Microsoft secure channel (schannel) security component that implements the
  secure sockets layer and transport layer security (TLS) protocols,
  according to a Microsoft advisory. A failure to properly filter specially
  formed packets makes it possible for attackers to execute attack code of
  their choosing by sending malicious traffic to a Windows-based server.


Microsoft reports CRITICAL Vulnerability in Windows 7/2003 and later TLS implementations

"Bob Gezelter" <gezelter@rlgsc.com>
Tue, 11 Nov 2014 23:47:35 -0700
Microsoft Security Bulletin MS14-066 reports a Critical bug in its
implementation of TLS on Windows 7/2003 and later systems.  From the
announcement: "Vulnerability in Schannel Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in the
Microsoft Secure Channel (Schannel) security package in Windows. The
vulnerability could allow remote code execution if an attacker sends
specially crafted packets to a Windows server.  This security update is
rated Critical for all supported releases of Microsoft Windows. For more
information, see the Affected Software section.  The security update
addresses the vulnerability by correcting how Schannel sanitizes specially
crafted packets. For more information about the vulnerability, see the
Frequently Asked Questions (FAQ) subsection for the specific vulnerability.
The report is at: https://technet.microsoft.com/library/security/MS14-066
The CVE reference for this problem is: CVE-2014-6321 - Bob Gezelter,
http://www.rlgsc.com


ISPs reportedly interfering with customer use of STARTTLS (RFC 3207)

"Bob Gezelter" <gezelter@rlgsc.com>
Wed, 12 Nov 2014 08:28:51 -0700
The EFF reports that some ISPs are apparently altering data in customer SMTP
connections to remove the STARTTLS flag. The STARTTLS flag, defined in RFC
3207 switches SMTP connections from plaintext to TLS. By stripping the
STARTTLS flag, the ISP disables encryption on the connection, enabling
eavesdropping on the headers and the message body (if not otherwise
encrypted with S/MIME or PGP).  Several questions arise: - WHY? Is this
being done on their own initiative, or is it being ordered by a third party?
- As there was apparently no disclosure, is it legal?  Unannounced
modification of customer data streams has a number of implications in
different domains, from legal to simple privacy.  The EFF article is at:
https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

Bob Gezelter, http://www.rlgsc.com


Kapersky reports sophisticated attacks using forged certificates against targeted high-value individuals

"Bob Gezelter" <gezelter@rlgsc.com>
Tue, 11 Nov 2014 00:28:49 -0700
Kapersky Laboratories has reported the discovery of a long-running set of
attacks targeted against senior executives using hotel (cabled and Wi-Fi)
Internet access.  Most disturbingly, the attacks involved forged
certificates and were targeted at individuals, which implies systematic
breaches beyond the attack itself. The mechanism involved targeted IFRAMEs
from the network access gateway which users use to authenticate to the
local property's network access.  This would appear to be a case of
precision targeted malware, something I wrote about in the "Computer
Security Handbook, Fourth Edition" more than 10 years ago. Such malware is
particularly pernicious, as it is not seen enough to be familiar to
anti-virus vendors and thus detectable. It can only be detected by a very
detailed review of the affected system(s).  The report is
at: https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf  - Bob
Gezelter, http://www.  rlgsc.com


ISPs Removing Their Customers' Email Encryption (EFF)

Lauren Weinstein <lauren@vortex.com>
Tue, 11 Nov 2014 18:53:55 -0800
EFF via NNSquad
https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

  "Another network-tampering threat to user safety has come to light from
  other providers: email encryption downgrade attacks. In recent months,
  researchers have reported ISPs in the US and Thailand intercepting their
  customers' data to strip a security flag--called STARTTLS--from email
  traffic. The STARTTLS flag is an essential security and privacy protection
  used by an email server to request encryption when talking to another
  server or client."


"Apple security checks may still miss iWorm malware" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Mon, 10 Nov 2014 12:13:35 -0800
Jeremy Kirk, Infoworld, 5 Nov 2014
New research says Gatekeeper and XProtect aren't entirely effective
in protecting Mac OS X against iWorm malware
http://www.infoworld.com/article/2843798/security/apple-security-checks-may-still-miss-iworm-malware.html


"Google releases tool to test apps, devices for SSL/TLS weaknesses" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Mon, 10 Nov 2014 12:16:38 -0800
Lucian Constantin, Infworld, 5 Nov 2014
The tool simulates man-in-the-middle attacks to detect SSL/TLS
vulnerabilities and implementation issues
http://www.infoworld.com/article/2843756/security/google-releases-tool-to-test-apps-devices-for-ssltls-weaknesses.html


"Device loss, not hacking, poses greatest risk to health care data" (Serdar Yegulalp)

Gene Wirchenko <genew@telus.net>
Mon, 10 Nov 2014 12:18:23 -0800
Serdar Yegulalp, InfoWorld, 10 Nov 2014
California DOJ report on data breaches shows most losses in health
care revolve around stolen devices, due to weak use of encryption
http://www.infoworld.com/article/2844957/data-security/device-loss-not-hacking-puts-health-care-data-most-at-risk.html


"Home Depot says 53 million email addresses compromised during breach" (Steve Ragan)

Gene Wirchenko <genew@telus.net>
Tue, 11 Nov 2014 14:17:34 -0800
Steve Ragan, Infoworld, 7 Nov 2014
In addition to 56 million payment cards, 53 million email addresses
are added to the list of compromised data
http://www.infoworld.com/article/2844514/security/home-depot-says-53-million-email-addresses-compromised-during-breach.html


The Home Depot Reports Findings in Payment Data Breach Investigation

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 6 Nov 2014 16:33:09 -0700
ATLANTA, Nov. 6, 2014 /PRNewswire/—The Home Depot, the world's largest
home improvement retailer, today disclosed additional findings related to
the recent breach of its payment data systems. The findings are the result
of weeks of investigation by The Home Depot, in cooperation with law
enforcement and the company's third-party IT security experts.

In addition to details previously released, the investigation to date
has determined the following:

* Criminals used a third-party vendor's user name and password to
enter the perimeter of Home Depot's network.  These stolen credentials
alone did not provide direct access to the company's point-of-sale
devices.

* The hackers then acquired elevated rights that allowed them to
navigate portions of Home Depot's network and to deploy unique,
custom-built malware on its self-checkout systems in the U.S. and
Canada.

* In addition to the previously disclosed payment card data, separate
files containing approximately 53 million email addresses were also
taken during the breach.  These files did not contain passwords,
payment card information or other sensitive personal information.

https://finance.yahoo.com/news/home-depot-reports-findings-payment-213000609.html


"Tor Project mulls over how law enforcement took down hidden websites" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Tue, 11 Nov 2014 14:19:58 -0800
Jeremy Kirk, Infoworld, 10 Nov 2014
The project doesn't have funding as yet to improve the security of hidden sites
http://www.infoworld.com/article/2845008/security/tor-project-mulls-over-how-law-enforcement-took-down-hidden-websites.html

opening text:

Little is known about how U.S. and European law enforcement shut down more
than 400 websites, including Silk Road 2.0, which used technology that hides
their true IP addresses.

The websites were set up using a special feature of the Tor network, which
is designed to mask people's Internet use using special software that routes
encrypted browsing traffic through a network of worldwide servers.


Ontogeny recapitulates Prodigy?

Ed Ravin <eravin@panix.com>
Sun, 9 Nov 2014 23:41:49 -0500
Monty Solomon wrote in about "Fall of the Banner Ad: The Monster That
Swallowed the Web" in the NY Times, which claims the Web banner ad is 20
years old.  I think it's a bit older than that.

Anybody remember the Prodigy online service?  Back in the 1980's, they
were using banner ads - or perhaps we should call them footer ads as they
usually occupied the bottom quarter of the screen.  Here's a sample:

http://cdn.theatlantic.com/assets/media/img/posts/2014/07/screenshot_games/5df26af65.png

Back when I worked there, I had no idea how close that image was to the
future of world-wide online services.  Many of the other things Prodigy did
turned out to be precursors of the modern Web—online shopping, airline
tickets, grocery orders, unscientific but absurdly popular online polls, and
a nationwide content caching network built on IBM Series/1 minicomputers,
with a bank of dialup modems in each one, at least ten years before Akamai
had the same idea. All this was built with clunky technology about as
efficient for the purpose as Roman numerals are for doing calculus.

Prodigy was also ahead of their time when it came to getting statistics on
user behavior - the software that ran the service on the user's PC sent back
regular accounting data on what users were doing, the kind of stuff you
might get now with Google Analytics, cookies, and Web bugs.

Prodigy patented many of their software processes --
http://www.google.com/patents/US5347632 is one example, which describes the
Prodigy "reception system", software running on the user's PC that had a
role analogous to the modern Web browser.  It didn't run Java or HTML, but
it did download code written in Prodigy's proprietary "TBOL" language, and
marked-up data in another proprietary format.  Who knows, if they'd written
that patent a little more broadly, they might be collecting licensing fees
today from every copy of IE and Firefox.

Interestingly, that patent also describes how Prodigy monitored user
characteristics in order to target online ads.  This patent was filed a year
before Sergei Brin and Larry Page met at Stanford.  Just like ontogeny was
supposed to have recapitulated phylogeny, it looks like the Web's ontogeny
has recapitulated Prodigy.


Fearing Bombs That Can Pick Whom to Kill

"Matthew Kruk" <mkrukg@gmail.com>
Wed, 12 Nov 2014 12:08:50 -0700
http://www.nytimes.com/2014/11/12/science/weapons-directed-by-robots-not-humans-raise-ethical-questions.html?emcit_th_20141112&nl=todaysheadlines&nlid2604355&_r=0


The $11M Tool That Could Help Computers Write Their Own Code (Klint Finley)

*Dewayne Hendricks* <dewayne@warpspeed.com>
Saturday, November 8, 2014
Klint Finley, *WiReD*, Nov 7 2014 (via Dave Farber)
The $11M Tool That Could Help Computers Write Their Own Code
<http://www.wired.com/2014/11/darpa-pliny/>

Nowadays, if you start typing something into Google, it tries to guess what
you're looking for. Type `Wi', and it might suggest Wikipedia.  Key in
`Bra', and it'll guess Brad Pitt. Yes, these autocomplete suggestions are
sometimes hilariously off the mark, but more often than not, they're rather
accurate, providing a handy shortcut to what you want.

Now, a government-backed research team wants to provide similar suggestions
to the world's programmers as they're writing computer code. That's right:
the aim is to guess what programmers are coding before they code it.

This week, Rice University said that DARPA, the Pentagon's mad science
division, has invested $11 million in this autocomplete programming project,
dubbed PLINY, after the ancient Roman author of the first encyclopedia,
“Text search prediction is the best analogy,''says Vivek Sarkar, the chair
of the computer science department at Rice and the principal investigator on
the project.  `People will be able to will be able to pick from a list of
possible solutions.''

That's right: the aim is to guess what programmers are coding before they
code it.

The project involves researchers from from Rice, the University of
Texas-Austin, the University of Wisconsin-Madison, and the developer tools
company GrammaTech. PLINY will index massive amounts of opens source code
gathered from the web to power a prediction engine that the researchers hope
will be able to predict what coders are about to type. It could also, in
theory, spot bugs or security vulnerabilities.

If successful, PLINY could be a boon to companies struggling to find enough
qualified programmers to work on increasingly complex software projects.
It's a problem a growing number of startups are trying to solve, ranging
from code education companies like Codecademy to tools like Light Table that
aim to make programming more intuitive.

Microsoft and Beyond

PLINY isn't the first attempt to build an autocomplete system for coders.
Microsoft is working on something similar with its Bing Developer Assistant,
which was released last summer. But Sarkar says PLINY is an even more
ambitious project. “Most others are just text analysis with some
knowledge of code structure,'' he says.

  [Warren Teitelman's DWIM in Interlisp?  PGN]

Sarkar's team is trying to develop software that analyzes not only text, but
also the concepts expressed in code, regardless of the programming language
it's written in. Sarkar hopes this will enable PLINY to suggest even large
chunks of code that can seamlessly integrate with what a developer has
already written. Better still, it might correct security vulnerabilities and
other mistakes.  [...]


Galois report on Internet voting hack

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 7 Nov 2014 16:42:47 PST
  (The Kiniry in the Goal Mine?  PGN)

Joe Kiniry, Galois
http://galois.com/wp-content/uploads/2014/11/technical-hack-a-pdf.pdf
http://galois.com/blog/2014/11/hacking-internet-voting-via-ballot-tampering/


Re: Risks of assuming votes are accurate (Motala, RISKS-28.34)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Thu, 06 Nov 2014 18:23:54 -0600
Assume "only the citizens get to vote" is an essential principle of voting.

Letting illegal immigrants eat allowed those individuals to survive to
obtain a drivers license. Which in turn allowed them to register to vote.
As a result these non-citizens are now able to vote.

Non-citizens voting violates an essential principle.

Violation of the essential principles is usually seen as damaging.

QED

Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu


Re: Risks of assuming votes are accurate (Motala, RISKS-28.34)

Steven Jay Klein <steven@yourmacexpert.com>
Mon, 10 Nov 2014 14:00:31 -0500
On Nov 6, 2014, at 6:45 PM, RISKS List Owner <risko@csl.sri.com> wrote:
> This is equivalent to saying "...there seemed to have been a false
> assumption that allowing illegal immigrants to eat would not have any
> deleterious effects (on voting)."

Not quite the same thing.

In my state (and many others), drivers are offered the opportunity to
register to vote when they obtain a drivers license.

I have never been offered a voter registration form when buying groceries or
dining in a restaurant.

Also, in my state (and many others), voters are required to present a
drivers license or other state ID.

Issuing drivers licenses certainly facilitates illegal voting in a way that
eating does not.


Re: Online voting rife with hazards (Shapir, RISKS-28.34)

John Sebes <jsebes@osetfoundation.org>
Fri, 07 Nov 2014 10:29:31 -0800
Responding to Amos on the constitutionality of a voter choosing to waive
ballot secrecy for Internet voting ..

IANAL but I do know a bit about elections. Ballot secrecy is a matter of
state election law, not state of federal constitutional law. Following the
chain 3 levels:

* The U.S Constitution simply requires elections to happen, in Article 1
Section 2 and then says in Section 4 "The Times, Places and Manner of
holding Elections for Senators and Representatives, shall be prescribed in
each State by the Legislature thereof" and that's it for elections.

* State constitutions sometimes define or constrain election procedures, but
Alaska's does not: "Methods of voting, including absentee voting, shall be
prescribed by law. Secrecy of voting shall be preserved."  Article 5 Section
3, in other words, defers to state election law on particulars, and states a
goal (without definition) "secrecy of voting."  Since AK election law
permits absentee voting, clearly the interpretation of secrecy is not
absolute.

* Alaska's state election laws specifically allow an individual to waive
anonymity and indeed even integrity of their ballot, and further passes
responsibility from state law to regulation adopted by the state election
director. The law requires that the regulation "ensure the accuracy and, to
the greatest degree possible, the integrity and secrecy of the ballot" ...

... which as we know for electronic transmission the greatest degree
possible is "not a lot" in practice. (The same law specifies the message
Amos noted with horror: "I understand that, by using electronic transmission
to return my marked ballot, I am voluntarily waiving a portion of my right
to a secret ballot to the extent necessary to process my ballot, but expect
that my vote will be held as confidential as possible.")

I didn't track down the regulation itself but I surmise that it follows
election law, which permits any voter to vote absentee at their discretion,
in allowing any absentee voter to use electronic transmission at their
discretion.

So in practice, Alaska allows an unbounded number of voters to cast a ballot
where the integrity of the ballot need be only best-effort based on the
capability of the local election officials. It's interesting to note that in
the recent Senate contest, the margin of victory (based on current reports)
is 8,149 out about 225,000 votes cast. A 3% margin sounds safe—until you
realize that it is only 8000 votes, and you wonder how many people voted by
Internet, and if was indeed around 8000 people, who was running the servers
that received and stored the digital ballots. Good thing that control of the
Senate did not hinge on this contest :-)

John Sebes, TrustTheVote Project, Open Source Election Technology Foundation


No risk of overturning a Senator's election due to dead voters.

"Mark E. Smith" <mymark@gmail.com>
Fri, 7 Nov 2014 10:02:19 +0800
In "Absentee ballot of deceased Boston mayor not counted," Wexelblat
<wex@cs.uml.edu> wrote:

"The big risk, of course is that some close election will be overturned after
a year or so because it is determined that several voters who were presumed
living on election day were ultimately discovered to have been dead.

The implications of determining that sitting legislators, even Senators,
were not actually elected ..."

I don't know about local or state elections, but Congressional elections are
governed by Article I, Section 5, of the Constitution which makes Congress
the sole judge of the elections, returns, and qualifications of its sitting
Members. Therefore, once a Member of Congress has been sworn into office
only Congress itself, and not even the Supreme Court, can remove that
Member.

The candidate who should have won is free to file a Federal Election Appeal
with Congress, but nobody else has any recourse. Once a Member has been
sworn in, Congress is usually reluctant to unseat them no matter how
fraudulent that Member's election may have been (as some may recall from the
Clint Curtis case), so there is no risk of a sitting Senator being removed
merely because of proof of dead voters.


Re: "Have we gotten so pathetically lame that you need to be notified by an email that your laundry is done?" (RISKS-28.34)

"Bob Frankston" <bob2-53@bob.ma>
6 Nov 2014 19:14:30 -0500
There are multiple issues here.

One is the marketing frenzy of the buzzword IoT. Reminds me of gluing a
tablet to a refrigerator and marking it up to $6000 as an Internet device.
Closely related is the moral judgment by those who take the contrived
stories seriously.

The bigger risk, though is the one I wrote about in http://rmf.vc/CILight --
the need to create high value applications because no one wants to be in the
business of providing enabling technology and infrastructure like we got
with IP and HTML.

You can invest a lot of money to make such applications work. That is why
today's IoT is full of non-synergistic point solutions. Some are very clever
but many are like the smart systems in cars and are prisoners of history.
They create the illusion of the NBT (Next Big Thing) but it's going to take
a while to work through the myriad of new risks. At least this digest will
get lots of content ...


Re: $750k Fine for exporting crypto

Amos Shapir <amos083@gmail.com>
Tue, 11 Nov 2014 11:04:37 +0200
I used to work at a development center in Israel of a US company.  I once
traveled to a show in NYC carrying a sample product in my luggage, which was
developed and built in Israel; on the way back, I had to leave it with the
US customs because it was considered too advanced to be exported!

Considering the history of some of the most popular encryption algorithms
and products (e.g., RSA), it would be ironic if among the products banned by
the BIS, were one which was invented in Israel, developed in Russia,
designed in South Korea and produced in China...

Please report problems with the web pages to the maintainer

Top