The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 37

Friday 21 November 2014

Contents

Australia rules out e-voting
Dave Horsfall
Electronic Election Fraud Apparent in Brazil; Done in America Today?
Andre Carezia
Twitter used to pass election polling information?
Harry Hochheiser
Auckland 'NewCore' project a year late and $100 million over budget
Richard A. O'Keefe
Drones Sighted by Pilots Landing at JFK Airport in NYC Show New Risks
Monty Solomon
Ian Urbina: The Secret Life of Passwords
NYT via PGN
Android source of spreading malware
NYT via PGN
Why mobile and consumer ISPs shouldn't censor encryption or the Net
John Gilmore
"Microsoft does it again, botches KB 2992611 SChannel patch"
Woody Leonhard via Gene Wirchenko
"Malware served through rogue Tor exit node tied to cyber espionage group"
Lucian Constantin via Gene Wirchenko
"ISACA survey shows security disconnect for breaches, wearables"
Maria Korolov via Gene Wirchenko
"How to lose customers with excessive security"
Galen Gruman via Gene Wirchenko
"CASL restricts freedom of speech, academic paper argues"
Brian Jackson via Gene Wirchenko
High-school RISKS courses?
William Ehrich
China blocks websites as Internet meeting begins
Lauren Weinstein
Pay Phones in New York City Will Become Free Wi-Fi Hot Spots
Monty Solomon
Privacy Concerns for ClassDojo and Other Tracking Apps for Schoolchildren
Monty Solomon
Re: 81% of Tor users can be de-anonymized by analyzing router ...
PGN
Re: The GCHQ boss's assault on privacy
Chris Drewe
Info on RISKS (comp.risks)

Australia rules out e-voting

Dave Horsfall <dave@horsfall.org>
Fri, 21 Nov 2014 10:17:37 +1100 (EST)
E-voting ruled out by Australian parliamentary committee
http://www.smh.com.au/it-pro/government-it/evoting-ruled-out-by-parliamentary-committee-20141120-11qjv1.html

E-voting is highly vulnerable to hacking, a parliamentary committee has
found.

Australians won't be using computers to vote in federal elections any time
soon.

That's because it's still not as secret or secure as writing on a ballot
paper, a parliamentary committee has concluded.

Dave Horsfall DTM (VK2KFU)  "Bliss is a MacBook with a FreeBSD server.
http://www.horsfall.org/spam.html


Electronic Election Fraud Apparent in Brazil; Done in America Today?

Andre Carezia <andre@carezia.srv.br>
Tue, 18 Nov 2014 11:14:51 -0200
http://noisyroom.net/blog/2014/11/05/electronic-election-fraud-apparent-in-brazil-done-in-america-today/


Twitter used to pass election polling information?

Harry Hochheiser <hshoch@gmail.com>
Mon, 17 Nov 2014 17:26:03 -0500
Did the GOP use Twitter to break campaign finance law?
Twitter profiles were meaningless without knowledge of how to find and
decode them.
http://arstechnica.com/tech-policy/2014/11/did-the-gop-use-twitter-to-break-campaign-finance-law/

In 2010, the Supreme Court ruled in Citizens United that unions, groups,
and nonprofit corporations had a First Amendment right to spend as much as
they wanted on political campaigns. The only caveat was that they could not
coordinate with the actual campaign they were campaigning for.

But CNN said Monday that the GOP employed Twitter to "stretch" Citizens
United by using anonymous Twitter accounts to publicly share internal
polling data to "signal to the campaign committees where to focus on
precious time and resources."..

  [Harry later added more:]

The blowback is part of the issue, isn't it?  Perhaps the tweets were sent
by Democrats who were hoping to pin something nefarious on the Republicans?
Inherent risks of anonymity, to be sure, but arguably less risky than the
alternative.  Encrypted e-mail would have done the job almost as easily...


Auckland 'NewCore' project a year late and $100 million over budget

"Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Thu, 20 Nov 2014 14:45:20 +1300
Auckland is New Zealand's largest city.  The wider Auckland region used to
be split amongst 8 local bodies, but in 2010 the central government merged
them into a single `super-city', holding 1/3rd of the country's population.
The `NewCore' project was set up to make a new system to replace and improve
on the existing eight IT systems.

See a slide deck on it:

http://www.aucklandcouncil.govt.nz/SiteCollectionDocuments/aboutcouncil/committees/strategyfinancecommittee/meetings/strategyfinancecommin20121129item16.pdf

The project had a $58 million capital budget and $13 million operating
expenses.  The first stage was expected to go live in May this year and the
system was supposed to be finished in 2016.  The expected cost benefit was
$13.3 million dollars per year, with a net present value in late 2012 of
$25.2 million.

The project so far a year late and $100 million over budget, about 4 times
the NPV.  This was reported in the *New Zealand Herald*,
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11361387
So far no special stupidities have been revealed.  From the NZ Herald:

“IT engineers have discovered merging the eight systems from the previous
councils to be more complex than originally thought.  And not one of the
existing systems was considered a good starting point. ..
and the scope of NewCore has grown.''

  Really, the only surprising thing is that anyone is surprised.


Drones Sighted by Pilots Landing at JFK Airport in NYC Show New Risks

Monty Solomon <monty@roscom.com>
Fri, 21 Nov 2014 06:50:30 -0500
A string of drone sightings this week by airline pilots flying into John
F. Kennedy International Airport highlights aviation risks posed by the
increasingly popular unmanned aircraft. ...
*Wall Street Journal*
http://online.wsj.com/articles/fbi-probes-drones-sighted-by-pilots-landing-at-jfk-airport-in-new-york-city-1416511819


Ian Urbina: The Secret Life of Passwords (NYT)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 21 Nov 2014 12:05:53 PST
Ian Urbina, The Secret Life of Passwords:
We despise them—yet we imbue them with our hopes and dreams, our dearest
memories, our deepest meanings. They unlock much more than our accounts.
*The New York Times* Magazine, 19 Nov 2014
http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html

  [Ian Urbina <urbina@nytimes.com> is seeking responses to his article,
  for a possible follow-up one.  PGN]


Android source of spreading malware

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 21 Nov 2014 9:57:34 PST
http://bits.blogs.nytimes.com/2014/11/20/malicious-software-said-to-spread-on-android-phones/


Why mobile and consumer ISPs shouldn't censor encryption or the Net

John Gilmore <gnu@toad.com>
November 19, 2014 at 8:31:04 PM EST
  [From the Cryptography list.  PGN]

> ...this was port 25 on Cricket
> Wireless, a prepaid mobile subsidiary of AT&T, i.e., a consumer
> network without static IP addresses or mail servers.
>
> http://arstechnica.com/tech-policy/2014/11/condemnation-mounts-against-isp-that-sabotaged-users-e-mail-encryption/
>
> Blocking port 25 on consumer networks to prevent outgoing spam, with
> real mail submitted on port 587 with authentication, has been an ISP
> best practice for over a decade.

I want to explore two of the assumptions in the above, that seem to be
decisive for some people in the debate: "mobile" and "consumer".

The theory seems to be that in a "mobile" Internet provider (that is,
one run by a cellphone company), more censorship is justifiable.  And
that in a "consumer" Internet provider, like one that sells
residential DSL or cable service, more censorship is justifiable.  In
this theory, an uncensored Internet should only be available to end
user nodes that are servers and backbone ISPs, because they can be
trusted to handle it, and they have the bandwidth to deal with the
traffic.

Let's talk about "consumer" first.  The Internet is a peer-to-peer network.
That has always been its strength, and one of the big things that
distinguished it from the "master/slave" networks that preceded it like
IBM's RJE, SNA, public networks like Telenet and Tymnet, and early computer
communication services like MCI Mail, CompuServe and The Source.  The
Internet started with every peer able to talk to every other peer, with no
nodes relegated to mere "clients" or "consumers".  TCP is designed to make a
working connection even if both nodes simultaneously and spontaneously reach
out to each other, as opposed to having a "server" side lying in wait and a
"client" side initiating connections.  New applications and protocols such
as multicast, instant messaging, VoIP, video conferencing, distributed
source code control systems like git, Mobile IP, BitTorrent, Kademlia,
federated social networking, and many others, including the Web which  was
invented dozens of years after the Internet, depend on this peer-to-peer
behavior.  When address exhaustion and NAT threatened peer-to-peer since the
1990s, the network evolved to continue offering peer-to-peer support,
including IPv6 as the big fix, plus UPNP, NAT Traversal, dynamic DNS,
supernodes, and other NAT circumvention technologies.

In a peer-to-peer network it doesn't work to designate some portions of the
network as "consumers" or "clients" who don't get full access, and other
portions of the network as "providers" or "servers" who do get full access.
Servers can be placed anywhere in the network, and frequently are placed on
"consumer" networks.  For example, in the homes of engineers or
entrepreneurs, in consumer Network Attached Storage boxes, in ethernet video
cameras, and even in flying $500 quadcopters.  Consumers (e.g. people)
should have all the same rights on the network as providers (e.g. websites).
Consumer devices (e.g. tablets) should have all the same rights on the
network as provider devices (e.g. data center servers).  A device's location
on the network is not and should not be relevant.  Many of the most
transformative innovations have come from individual consumers like Bram
Cohen or Linus Torvalds who created new protocols that run at the edge of
the network (BitTorrent and git).

Now let's talk about "mobile".  The theory is that mobile networks somehow
should get more authority to censor or block traffic, because they have less
total bandwidth available, or because their end nodes are "only" cellphones,
or for reasons like those.  Those arguments are largely specious, too.

First, cellphones have evolved into full blown pocket computers, and there
are more of them in the world than there are desktop computers.  If the
broad social move from desktops to pocket computers means that their
billions of users get fewer rights and capabilities than they had in the
previous generation, there's something rotten at the heart of that theory.
EFF was founded more than 20 years ago to counter exactly this kind of
creeping removal of well accepted civil rights via technological change.
Cellphone users should have all the same rights against censorship and
rights to encrypt their transmissions, as desktop computer users and as
server operators.  Software that runs as a mobile "app" should have the same
rights on the network as software that runs as a Linux desktop "package".
And by the time when our cellphones shrink to run in our wristwatch, our
eyeglasses, or in our bloodstreams, our always-on network should not deprive
us of rights that we had back in the day when we had to unpack our computer
from a bulky suitcase.

Second, it is easy for "mobile" networks to provide connectivity to full
blown desktop computers or servers.  USB mobile dongles are readily
available and cheap.  Mobile-based WiFi hotspots are readily available and
cheap.  The end nodes that connect to such hotspots, or use those dongles,
should get no worse censorship and encryption policies than when they
connect to a hardwired WiFi hotspot or to an Ethernet cable.

Third, telephone companies are now actively claiming that they cannot
affordably provide wired communications services, so they are asking
regulators to be able to withdraw wired services and offering ONLY "mobile"
networks to their customers in entire regions.  This got the most press
coverage after East Coast floods destroyed wired infrastructure, but it is a
covert nationwide strategy and every day a telco petitions a government
somewhere to eliminate the telco's core requirement to provide wired service
to every customer who wants it.  So not only do "mobile" users in those
regions become second-class customers, but EVERY user in those regions
becomes a second class customer.  If every user gets a more-censored
Internet in this transition, we're back to the dystopia of technological
evolution and telco manipulation destroying the valuable and important civil
rights that we all once had.

Fourth, let's examine the "low bandwidth" theory.  In many places on the
earth, 3G and 4G and 5G mobile bandwidth exceeds the readily available
bandwidth from wired Internet providers.  DSL lines only reach tens of
thousands of feet from a central office, relegating rural home users to
dialup modems or satellite or other wireless feeds.  Yet mobile cellular
networks in rural areas often cover large geographical areas that hold few
subscribers.  This means that each subscriber gets a correspondingly large
share of the total available bandwidth of the cell site, often making mobile
cellular the highest-available end-user-bandwidth network.

Fifth, even where wired networks offer higher bandwidth than mobile, the
absolute bandwidth offered on mobile networks today vastly exceeds the
bandwidth that was available just a short time ago.  The original ARPAnet's
backbones were 56 kilobit/sec leased lines, as were the original high speed
ISDN Internet connections offered in the 1990s.  When the NSFnet took over
from the ARPAnet, it ran on big 1500 kilobit (1.5 Megabit, T1) backbones.
Almost every server in the mid-1990s had no better connection to the
Internet.  The NSFnet was later upgraded to a T3 (45 megabits) backbone,
roughly the downstream speed of today's consumer cable modem—but that was
enough for the entire North American continent.  Most initial Internet users
were on 14.4 kilobit dialup modems, eventually rising to 56 kilobit dialup.
When the telco monopolies were forced to allow entrepreneurs to change the
signaling on the last-mile wire to your telco central office, ADSL lines
that ran a whole megabit or more (in one direction) became cheaply available
to consumers and ordinary businesses.  So getting back to the "mobile"
theory, if your server is perfectly happy on a 1.5 megabit connection, why
should you should get your access censored, your encryption blocked, and
your application choices limited, depending whether your connection is a T1
line or a "mobile" dongle?

Sixth, after natural or man-made disasters, wired connectivity is often
destroyed, flakey or unavailable.  Mobile networks are much quicker to
repair after a flood, war, or earthquake, and may not go down at all.  For
the resilience of our infrastructure, which includes Internet services and
not just backbone connectivity, end users should be able to switch both
their "clients" and their "servers" onto whatever networks are functioning,
at any time.  A company that runs its own mail server should not have mail
delivery fail, or refuse encryption, because it was wise enough to provision
itself with backup connectivity via a mobile network.  If after a tornado
you put your web server on port 80 on a mobile network while running the
server on battery backup, the cellphone company should not censor it.  In
disasters the network has to be flexible, not rigid and coercive.

All these theories about why it's OK to censor Internet access, block
certain services based on the whim of the ISP, and prevent end users from
encrypting their traffic, come at their root from the monopoly nature of the
underlying access media.  In the heyday of the Internet, before these
monopolies learned how to manipulate the regulators to prevent it, the
monopolies were prohibited by law from telling you what phone numbers you
could call, what ISP you could dial into, what protocols you could run over
that modem, or who in the rest of the world you could communicate with.  The
telco couldn't stop you from calling the Internet—much as they dearly
would have loved to—because they were a common carrier.  And if your ISP
developed crazy ideas about censorship, you could just dial into another ISP
who had policies that suited you—or start your own ISP and attract
customers who like having full rights and freedoms.  I did exactly that in
the 1990s, when the available ISPs told me that I as a "consumer" couldn't
split down and share my net connection with anybody else.

The heart of today's "network neutrality" issue is that by falsely
conflating the underlying broadband access media with "the Internet", and
then deciding to leave both free of regulation, the regulators have
abandoned that prohibition on discrimination.  The FCC now allows the
regulated monopolists to decide who you can talk to and what you can say to
them.  The fix is not to regulate the Internet.  The fix is to regulate the
underlying broadband access media—the phone wiring, cable wiring, fibers
to your house or neighborhood, and wireless infrastructure—while
preventing the infrastructure companies from forcing you to choose a
particular "Internet" provider over that access medium.  Thus over your
cable modem you could buy Internet access from any of a dozen providers;
over your cellular phone you could buy Internet access from the same dozen.
The signals would be carried over a different medium, but neither the cable
company nor the cellphone company could dictate which ISP you must use or on
what terms you must access the Internet.

We see this problem again and again in different corners of different
issues, including this "anti-spammers versus consumer privacy" issue, but
it's really the same issue.  The access providers don't want to be common
carriers who are obliged to carry all traffic for everyone—because
there's more money in getting a government granted monopoly and then being
able to selectively sell access to that region, piecemeal, to the highest
bidders.  Like Comcast deciding that it won't take Netflix's traffic unless
Netflix pays extra.  Like T-Mobile deciding that you can't access
http://mpp.org from your phone (try it) because it publishes about the
politics of drugs, and "drugs are bad".  And like spam-weary ISPs deciding
that you can't encrypt your email transmissions because it would make their
particular choice of ineffective antispam measures even more ineffective.

John Gilmore


"Microsoft does it again, botches KB 2992611 SChannel patch" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Tue, 18 Nov 2014 10:52:53 -0800
Woody Leonhard, InfoWorld, 17 Nov 2014
Last Tuesday's MS14-066 causes some servers to inexplicably hang, AWS or IIS
to break, and Microsoft Access to roll over and play dead
http://www.infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html

selected text:

Then there's the problem that Microsoft hasn't acknowledged. SQL Server guru
Darren Myher puts it this way:

  Security Update MS14-066 causes major performance problems in Microsoft
  Access/SQL Server applications... When the update is installed to a server
  running Microsoft SQL Server (So far, confirmed as issue with SQL Server
  2008 R2, SQL Server 2012, SQL Server 2014) client applications that access
  the database via ODBC such as Microsoft Access clients pointing to SQL
  Tables encounter a major performance hit...

  Our customers are reporting that this security update causes MAJOR
  performance problems in any Microsoft Access application with a SQL Server
  backend (any version).  For example, a simple operation such as clicking
  from one line of an order to another (without performing ANY data updates)
  can take from 5 to 15 seconds!  For users having to update hundreds of
  lines of orders, the application becomes nearly unusable—an activity
  that used to take 5 minutes could take hours.to complete.

  Please, if you have not installed this update yet—DO NOT INSTALL IT to
  the SQL Server machine


"Malware served through rogue Tor exit node tied to cyber espionage group" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 18 Nov 2014 12:12:31 -0800
Lucian Constantin, Infoworld, 14 Nov 2014
There is strong evidence the malware dubbed OnionDuke was used to
target European government agencies, F-Secure says
http://www.infoworld.com/article/2847547/security/malware-served-through-rogue-tor-exit-node-tied-to-cyber-espionage-group.html


"ISACA survey shows security disconnect for breaches, wearables" (Maria Korolov)

Gene Wirchenko <genew@telus.net>
Tue, 18 Nov 2014 10:57:17 -0800
Maria Korolov, *CSO*, 12 Nov 2014

Consumers aware of breaches, but don't care!
http://www.csoonline.com/article/2847313/security-awareness/isaca-survey-shows-security-disconnect-for-breaches-wearables.html


"How to lose customers with excessive security" (Galen Gruman)

Gene Wirchenko <genew@telus.net>
Tue, 18 Nov 2014 11:01:18 -0800
Galen Gruman, InfoWorld, 18 Nov 2014
If your service or product security works like a prison, don't be
surprised when users and customers go elsewhere
http://www.infoworld.com/article/2848761/security/how-to-lose-customers-with-excessive-security.html

opening text:

I fired my bank last week because I got tired of getting entangled in
security systems that ensured I would be unable to access my online banking
for days at a time, especially when I was traveling. My local branch manager
said I was hardly alone in leaving the bank, and it's a good object lesson
for what happens when security becomes overkill.


"CASL restricts freedom of speech, academic paper argues" (Brian Jackson)

Gene Wirchenko <genew@telus.net>
Tue, 18 Nov 2014 11:14:01 -0800
Brian Jackson, *IT Business*, 17 Nov 2014
CASL restricts freedom of speech, academic paper argues
http://www.itbusiness.ca/article/casl-restricts-freedom-of-speech-academic-paper-argues

opening text:

Since Canada's anti-spam law (CASL) came into effect July 1, many businesses
have been scrambling to bring their communications practices into compliance
-- and to understand what that compliance requires. But is the law itself
even legal?

That's the question examined by a paper published in the journal Tech &
Privacy by University of Windsor associate professor Emir Crowne. The paper
argues CASL is unconstitutional under Canada's charter for several reasons:


High-school RISKS courses?

William Ehrich <ehr309@clear.net>
Wed, 19 Nov 2014 10:38:18 -0600
A phone call warns me that the IRS is about to file a suit against me.
Call 202... for details.

Made me wonder whether there is a high-school course on phishing scams and
similar RISKS.  ... Those who don't yet have credit/debit cards or bank
accounts won't pay attention or remember.


China blocks websites as Internet meeting begins

Lauren Weinstein <lauren@vortex.com>
Wed, 19 Nov 2014 08:17:42 -0800
AP item from The Stockmarket Watch (SMW) via NNSquad
http://thestockmarketwatch.com/news/read.aspx/china-blocks-websites-as-internet-meeting-begins/79c5dfed7d7224db0b985dce647a9e2c/

  "Chinese censors have newly blocked access to several popular websites as
  they target content delivery networks that serve much of the Internet,
  according to a U.S. Internet service company.  The action comes as China
  hosts the World Internet Conference, which brings together many of the
  world's top technology companies."


Pay Phones in New York City Will Become Free Wi-Fi Hot Spots

Monty Solomon <monty@roscom.com>
Tue, 18 Nov 2014 08:04:43 -0500
But beginning next year, city officials said on Monday, the relics will
evolve into something deemed far more practical: thousands of Wi-Fi hot
spots across the city, providing free Internet access, free domestic calls
using cellphones or a built-in keypad, a charging station for mobile devices
and access to city services and directions. ...

http://www.nytimes.com/2014/11/18/nyregion/pay-phones-in-new-york-city-will-become-free-wi-fi-hot-spots.html


Privacy Concerns for ClassDojo and Other Tracking Apps for Schoolchildren

Monty Solomon <monty@roscom.com>
Tue, 18 Nov 2014 08:15:55 -0500
Many teachers say the ClassDojo app helps them record classroom conduct, but
critics are wary of such apps' ramifications for data privacy and fairness.

http://www.nytimes.com/2014/11/17/technology/privacy-concerns-for-classdojo-and-other-tracking-apps-for-schoolchildren.html


Re: 81% of Tor users can be de-anonymized by analyzing router ... (RISKS-28.36)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 19 Nov 2014 15:47:48 PST
In the previous issue, Lauren Weinstein noted this Stack article.
  Martin Anderson, 81% of users can be de-anonymised by analysing router
  traffic, research indicates, {\it The Stack}.
  http://thestack.com/chakravarty-tor-traffic-analysis-141114

Subsequently, Roger Dingledine's blog item and an attached comment by
Sambuddho both qualify the 81% number as based on a small sample, with
other comments well worth reading:
  https://blog.torproject.org/blog/traffic-correlation-using-netflows

Other out-of-band comments suggest that the problem may well result from an
external vulnerability rather than a flaw in Tor.


Re: The GCHQ boss's assault on privacy (Moglen, RISKS-28.36)

Chris Drewe <e767pmk@yahoo.co.uk>
Wed, 19 Nov 2014 22:36:24 +0000
> ... Like pretty much everything else said by governments, and spy agencies
> in particular, since Snowden pulled the behaviour of the US and UK
> listeners into daylight, Hannigan's comments were intentionally
> disingenuous.  But also, like servants of various despotisms with whom he
> would be lo[a]th to compare himself, Hannigan's frequent use of the word
> *democracy* is accompanied by a stunning contempt for the rule of
> law. [...]

IMHO, rather ironic that this should be happening within weeks of (a)
celebrating 25 years since the fall of the Berlin Wall, and (b) Remembrance
Day, when many nations annually commemorate the lives of those who
fought in two world wars for our freedom. ...

Please report problems with the web pages to the maintainer

Top