"I think it probably is the least likely [to] see something be rigged because I can't even imagine how you could do that." http://wshu.org/post/conn-sots-denise-merrill-serious-about-keeping-2016-elections-secure [This person clearly needs to be reading RISKS! PGN]
[Quoted misspelling of Ramsey Clark fixed. PGN] Electoral warfare, Sean Gallagher, ArsTechnica, 21 Sept 2016 Thanks, Internet! Messing with elections not just for the CIA anymore. http://arstechnica.com/tech-policy/2016/09/thanks-internet-messing-with-elections-not-just-for-the-cia-anymore/ Former Justice official: U.S.'s own electoral meddling leaves little room for complaint. Even if the Russian government was behind the hack of the Democratic National Committee (DNC) and various other political organizations and figures according to Jack Goldsmith, a Harvard law professor and former US assistant attorney general. <http://arstechnica.com/security/2016/06/guccifer-leak-of-dnc-trump-research-has-a-russians-fingerprints-on-it/> <http://arstechnica.com/security/2016/07/democratic-partys-congressional-fundraising-committee-was-also-hacked/ Goldsmith, who served at the Justice Department during the administration of George W. Bush and resigned after a dispute over the legal justifications for "enhanced interrogation" techniques, spoke on Tuesday about the DNC hack during a Yale University panel. <https://yalelaw.hosted.panopto.com/Panopto/Pages/Viewer.aspx?id=3D6f45c286-c6c2-4810-b432-434d32ba7ec2> "Assuming that the attribution is accurate," Goldsmith said, "the US has very little basis for a principled objection." In regard to the theft of data from the DNC and others, Goldsmith said that "it's hard to say that it violates international law, and the US acknowledges that it engages in the theft of foreign political data all the time." Goldsmith pointed out that when Director of the Office of National Intelligence James Clapper testified before Congress about a data breach at the Office of Personnel Management, which collected sensitive information on millions of individuals who had worked for or done business with the government, "He said, 'I'm really impressed with what they did, and I would have done the same thing if I could have.'" <http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-tapped-the-mother-lode-of-espionage-data/> As far as the publication of the stolen data in a way intended to interfere with the US presidential election, Goldsmith noted that the US has a long history of interference in other countries' politics. "Misinformation campaigns are a core element of what the [Central Intelligence Agency] has done" since it was created, he said. Goldsmith cited a study published in August by Dov H. Levin of the Institute for Politics and Strategy at Carnegie Mellon University. The data= set for the study details all 117 known times the US and the USSR (later Russia) attempted to manipulate the outcome of elections in other countries. "This was either supporting one side, or taking actions to denigrate or harm the other side," explained Goldsmith. "And 69 percent of this was the US." Bad precedents. <https://scifeeds.com/journal-article/partisan-electoral-interventions-by-the-great-powers-introducing-the-peig-dataset/> In 1989, as a young Navy officer, I got a front-row seat to one of the more overt efforts by the US government to influence the results of a foreign election. I was in Panama, and the outskirts of Panama City were plastered with campaign signs for Guillermo Endara, the presidential candidate of the Democratic Alliance of Civic Opposition (ADOC), the opposition party challenging General Manuel Noriega's Democratic Revolutionary Party. The CIA funded Endara's campaign, giving him $10 million—a huge sum for a country of 2.4 million people. As an independent commission led by former Attorney General Ramsey Clark found in a report, "It is the per-capita equivalent of a foreign government spending over $1 billion to influence a US national election (five times the amount spent by George Bush and Michael Dukakis combined in the 1988 presidential election)." <http://abeuqela.ru/xusex.pdf> I left the country just before the election, which Endara apparently won based on exit polls—though that result wouldn't stand because of vote fraud by Noriega's supporters. A "dignity battalion" attacked Endara and his running mate with clubs. I returned in December to do a security inspection at Rodman Naval Station, only to find myself being ushered into a van to the nearby Air Force base in the early morning hours of December 20 to evacuate as the US "corrected" the election results with Operation Just Cause. There are many other examples, some of them less direct—such as US support for a 1973 coup in Chile that overthrew the elected government of socialist President Salvador Allende. Other US efforts to affect politics—even those within the Soviet Union -- were more subtle. Goldsmith cited an example in the early 1950s, when "[Nikita] Khrushchev trashed Stalin in a party meeting. The CIA got a recording of it and leaked it to newspapers in an attempt to harm Khrushchev." "No piece of [the DNC hack] is different functionally" from what both the US and Russia have done in the past, Goldsmith said. What's different is that it's happening *to* the United States—and that doesn't feel good. Thanks to the Internet and the powerful asymmetric capabilities it provides, events like these are likely to continue. Cyber-disinformation campaigns can happen "with an ease and scale that dwarfs everything that happened before," Goldsmith noted. The threat of interference in politics through hacking and data manipulation might render all past precedents set by intelligence organizations moot. "Theft and publication of truthful information is small beans—what about theft and publication of *faked* information, which is hard to verify, or tampering with the vote itself?" Goldsmith said. "That could have huge consequences, the number of actors who could do this are many, and our ability to defend against it is uncertain." The Russian government has been preparing for this game for some time. Individuals aligned with the Russian government have used social media disinformation, denial of service attacks, and hacking campaigns to shape the political landscape in former Soviet states and elsewhere in Europe frequently over the last decade. China also has shown a willingness to use information operations to influence US politics—apparently hacking the networks of both Barack Obama and John McCain during the 2008 presidential election campaign, using information obtained about McCain's interactions with Taiwan to further its own political objectives. <http://arstechnica.com/security/2016/07/clinton-campaign-email-accounts-were-targeted-by-russians-too/> <http://arstechnica.com/tech-policy/2008/11/giving-partisan-hacks-a-whole-new-meaning/>, Echoing comments made by Edward Snowden last year Goldsmith concluded, "The US has the most powerful cybercapabilities in the world... but we are very much also the most vulnerable, and we're going to be more and more on the losing end of the stick. I think this is just the beginning." <http://arstechnica.com/tech-policy/2015/01/snowden-us-has-put-too-much-emphasis-on-cyber-offense-needs-defense/>, Guest editorial: The DNC hack and dump is what cyberwar looks like. <http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/> Cybergeddon: Why the Internet could be the next *failed state* <http://arstechnica.com/information-technology/2015/02/fear-in-the-digital-city-why-the-internet-has-never-been-more-dangerous/>
This is of course a divergent rant that takes us away from cyberrisks. > To vote is to declare yourself incompetent to manage your own affairs, and > to appoint whoever takes office as your guardian with a full power of > attorney to spend your money and dictate your choices. I hope I can apply some salve by the idea that voting is rather like evolution. The individual plays no role in evolution. It's the circumstances of thousands of individuals that leads to the emergence of selective qualities being selected. You don't vote for your own good, you vote for the good of everyone else. I suspect many people in the US would be outraged that voting might be made compulsory as it is here in Australia. Now while too many Australians try to avoid voting by not registering to vote, the vast majority of us vote - and the ballots are far more complex than just about everywhere else in the world. The election losers are mostly satisfied with the results and the process is free of voter obstruction, special interest effects and multiple voting. There are second-order effects from voting as well. Even if I live in a safe left wing seat and right wing votes appear to be for naught, the number of right wing votes conveys information and this affects how audacious the left wing government of this seat behaves.
John Sebes wrote, "....if you don't try to vote, you have 0% chance of being counted; while if you do vote you do have a chance of being counted." Would you use an ATM if there was only a chance that you'd get your money or that your deposit would be credited to your account? Is democracy less important to you than your bank account? Sebes: "If everyone who had the same type of doubts that Mark has (and/or others that I and other election folks have) were to not vote, then we would not have an effective democracy." Rule by the rich is not called democracy, it is called plutocracy. That is the system we have and that is the system to which I do not wish to lend legitimacy by voting. To you a broken election might be a nightmare, but to me endless wars, military expansionism at the expense of domestic needs, trillions of dollars unaccounted for by the Pentagon, trillions more to bail out banks that knowingly and deliberately wrecked our economy, homeless people sleeping on the streets of every city in the country, unarmed citizens being killed by the police every day, the widespread use of prison labor (something we used to condemn when China did it), decreasing longevity rates, people lacking access to clean drinking water, a quarter of U.S. citizens diagnosed as mentally ill, and a total lack of accountability at the highest levels of government, is a nightmare from which I'd very much like to awaken. Mark Kramer wrote, "If your candidate concedes prior to the votes being counted, that's the fault of your candidate and not the system." A system that allows a single person to decide an election, is not a democratic system. In some systems, if the winning candidate withdraws, dies, or becomes unable to hold office, a new election would be held rather than allowing someone who was not elected to take office. The problem indeed is with the system. Michael Kohne wrote, "Staying home just gives anyone monkeying around with the system that much more leverage to work with." Elections officials have the same leverage to work with whether people vote or stay home. A central tabulator can be programmed to give a certain proportion of the votes to a specific candidate without regard to how many ballots were cast. Whether 90% vote, 50% vote, or only 10% vote, the leverage for monkey-wrenching remains the same. Kohne: "...But I can't respect just sitting there whining without even trying to vote, let alone FIX it." Yes, that's the old argument that doing something is better than doing nothing, and that not voting is doing nothing. So the person whose carburetor is flooded should keep stepping on the gas rather than just sitting there and doing nothing. The person who realizes that they're about to drive over a cliff, should keep driving rather than stopping and just sitting there doing nothing. Quoting my own August 2011 article, "You've Got to Stop Voting" http://fubarandgrill.org/node/1172 : "If you're doing something wrong, or something that is self-destructive or hurting others, stopping might be a good idea. If delegating your power to people you can't hold accountable has resulted in the devastation of your economy, do you really want to keep doing it? If granting your authority to people you can't hold accountable has resulted in wars based on lies that have killed over a million innocent people, do you really want to keep doing it? If granting your consent of the governed to people you can't hold accountable has resulted in government operating on behalf of big corporations and the wealthy instead of on behalf of the people, do you really want to keep doing it?" Kohne: "And no, 'protesting' by not voting isn't fixing anything. It's a cop-out. It accomplishes NOTHING." When Ireland tried to introduce electronic voting machines, voters refused to use them and eventually the government had to scrap them. Protesting by not voting was proven to be an effective tactic. Perhaps I'm wrong, but I was under the impression that most computer professionals, on becoming aware that their system was infested with some sort of malware that infested any other computers they communicated with, would stop using the system until it was cleaned and safe to use. I've never heard of anyone saying, "Well, just keep using it because we don't want people to lose faith in our computer system." But judging from the responses I've been getting, maybe I haven't been reading RISKS closely enough and it is a common attitude that I somehow failed to notice.
"A computer error—a circuit failure that affected the brakes—was found to be the cause of a Muni bus crash into the back of a delivery truck, city officials said, raising questions about the condition of a group of older buses that are being replaced." Apparently, the driver taking his foot off the accelerator, hitting the brake pedal, or applying the emergency brake didn't disengage the traction motors of the electric trolleybus, in part due to a communications failure. This doesn't sound like a fail-safe design. Muni instructed drivers to either press the "Poles Down" button (to cut off current), press the emergency stop switch, or select "Off" on the master controller in such a situation. The brakes were working, but the powerful traction motors continued pushing the bus forward anyway. Muni to replace malfunctioning buses after computer error led to crash - The San Francisco Examiner http://j.mp/2dOhUEj
Catalin Cimpanu, Softpedia, 12 Oct 2016 12-Year-Old SSH Bug Used to Relay Malicious Traffic via IoT Devices IoT devices used as proxies for malicious traffic http://news.softpedia.com/news/12-year-old-ssh-bug-used-to-relay-malicious-traffic-via-iot-devices-509225.shtml Attackers are using IoT devices as proxies for malicious traffic by taking advantage of a configuration option in SSH daemons, which allows them to use a 12-year-old OpenSSH flaw to bounce traffic off IoT equipment.* The flaw is *CVE-2004-1653*, a security issue discovered in 2004 and patched in early 2005, caused by a default configuration that was shipping at the time in OpenSSH (sshd). According to MITRE <http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2004-1653> and security experts Jordan Sissel <http://www.semicomplete.com/articles/ssh-security/> and Joey Hess <http://joeyh.name/blog/entry/ssh_port_forwarding/>, older versions of the OpenSSH client allowed TCP forwarding in default setups, which then allowed remote authenticated users to perform a port bounce. The flaw was not severe since attackers needed SSH access to the device, but after an attacker brute-forced his way into systems using unsecured SSH credentials, he could monetize those machines as part of for-hire proxy services sold online. Bug resurrected for IoT botnets While OpenSSH hasn't featured that default configuration option for years, OpenSSH has been embedded in billions of IoT devices spread all over the world. As we know by now, most of these devices are the victims of *Telnet and SSH brute-force attacks* on a regular basis and are being added to DDoS botnets every day. <http://news.softpedia.com/news/botnets-of-embedded-devices-are-trying-to-brute-force-telnet-ports-508050.shtml> Because IoT devices lack the hardware capabilities to support complex operations, the only good things an IoT botnet can be used for is to launch other brute-force attacks, launch DDoS attacks, and relay malicious traffic. IoT devices used as relays for other malicious traffic. According to a threat advisory released by Akamai today, the company's security team says it detected large amounts of malicious traffic originating from IoT devices. <https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf> A further investigation of the issue has revealed that crooks have been brute-forcing IoT devices, altering their SSH configurations by enabling the "AllowTcpForwarding" option, and then using these devices as proxies for all sorts of malicious traffic. This allows attackers to mask the true origin of their attacks, may it be DDoS attacks, regular Web traffic, other brute-force attacks, or any other kind of Internet packet that can be relayed by the IoT device. In order to prevent these attacks, which Akamai tracks under the SSHowDowN Proxy codename, the company recommends the following defensive measures. for How to Protect Yourself (Device Vendors and/or End Users) see article
Catalin Cimpanu, Softpedia, Oct 14 2016 Social engineering tactics hit a new level Untrained and gullible Android users are now the target of an Android banking trojan that asks them to send a selfie holding their ID card. http://news.softpedia.com/news/android-trojan-asks-victims-to-submit-a-selfie-holding-their-id-card-509303.shtml The trojan's name is Acecard and is considered one of the *most dangerous and intrusive Android banking trojans known today* according to a Kaspersky analysis from last February. <http://news.softpedia.com/news/acecard-one-of-today-s-most-dangerous-android-trojans-500784.shtml>, To stay ahead of security researchers, all malware must constantly evolve, either with changes to their underlying code or in their mode of operation. New version of Acecard trojan found in targeting Singapore and Hong Kong A previous version of the Acecard trojan hid *inside a Black Jack game* <http://news.softpedia.com/news/black-jack-game-delivered-the-most-dangerous-android-trojan-known-today-504127.shtml> delivered via the official Google Play Store. In the most recent version of this threat, security experts from McAfee <https://blogs.mcafee.com/mcafee-labs/android-banking-trojan-asks-for-selfie-with-your-id/> have found a new version of the Acecard trojan hidden inside all sorts of apps that pose as Adobe Flash Player, pornographic apps, or video codecs. All of these apps are distributed outside of the Play Store and constantly pester users with permission requirement screens until they get what they want, which is administrator rights. Once this step is achieved, the trojan lays in hiding until the user opens a specific app. McAfee experts found that when the user opens the Google Play app, the trojan springs a new social engineering trap. Acecard tricks the user in providing payment card and real ID details First, it prompts the user for his payment card number. Then, in separate popups, it asks the user for his card details, such as name and expiration date, but also asks the user to enter his real ID details. At the time of writing, versions of this trojan have been seen asking for ID details specific to users living in Singapore and Hong Kong. After this, the trojan uses new prompts to ask the user to take a picture of the front and back side of his ID card. During a third step, the trojan then asks the user to hold the ID in his hand, underneath his face, and take a selfie. ID photo can be used to confirm illegal transfers, take over accounts "[This is] very useful for a cybercriminal to confirm a victim's identity and access not only to banking accounts, but probably also even social networks," says Carlos Castillo, McAfee researchers, of the reasons why Acecard is using this new kink. With photos of the victim's ID in hand, the attacker can verify illegal banking transactions, or confirm to tech support that he's the real owner of hijacked social media accounts. Besides Google Play, this version of Acecard also collects access credentials using fake logins for social media apps such as Facebook, WhatsApp, WeChat, Line, and Viber, but also other apps such as Dropbox, Google Music, Google Books, and Google Videos. This trick obviously works only with less technical users, that haven't used smartphones for long. Any tech-savvy users would quickly understand that there's no reason for Google to ask for your ID card, and take measures to find the trojan and remove it from his phone. *CHECK OUT THE GALLERY* (2 Images) http://i1-news.softpedia-static.com/images/news2/android-trojan-asks-victims-to-submit-a-selfie-holding-their-id-card-509303-3.png
via NNSquad https://blog.google/topics/public-policy/building-surveillance-reform/ Today, we've updated our Transparency Report on government requests for user data. Globally, we received 44,943 government requests for information regarding 76,713 accounts during the first half of 2016. We provided user information in response to 64% of those requests, which remains unchanged from the previous reporting period (i.e. the second half of 2015). We also received our first ever requests from the following countries: Algeria, Belarus, Cayman Islands, El Salvador, Fiji, and Saudi Arabia. In addition, pursuant to the USA Freedom Act, the FBI lifted a gag restriction on an NSL issued in the second half of 2015. To reflect this, we have updated the range of NSLs received in that period—July to December 2015—from 0-499 to 1-499. As we have noted in the past, when we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request. The privacy and security of the data that users store with Google is central to our approach. Before producing data in response to a government request, we make sure it strictly follows the law, for example to compel us to disclose content in criminal cases we require the government use a search warrant, and that it complies with Google's strict policies (to prevent overreach that can compromise users' privacy).
Many websites big and small have had their HTTPS certificates incorrectly scrapped, meaning that for some people their browsers no longer trust websites and refuse or are reluctant to access them. It appears GlobalSign inadvertently triggered the revocation of its intermediary certificates while updating a special cross-certificate. This smashed the chain of trust and ultimately nullified SSL/TLS certificates issued by GlobalSign to its customers. It could take days to fix, leaving folks unable to easily read their favorite webpages. [PGN-ed] http://www.theregister.co.uk/2016/10/13/globalsigned_off/
According to the ACLU, Geofeedia (a company in Chicago) has used data from Facebook, Twitter and several other networks to aid law enforcement officials in monitoring protesters. [PGN-ed] http://www.nytimes.com/2016/10/12/technology/aclu-facebook-twitter-instagram-geofeedia.html
The head of the United States Anti-Doping Agency says the cyberattack targeting its science director's email account is meant to smear clean athletes. http://www.nytimes.com/2016/10/15/sports/us-officials-reassure-athletes-after-new-russian-hack-of-medical-files.html
Samsung Estimates $2.3 Billion Loss Over Galaxy Note 7 Troubles http://www.nytimes.com/2016/10/13/business/international/samsung-galaxy-note7-profit-battery-fires.html Galaxy Note 7 Is Not Samsung's Only Problematic Product They are also having safety problems with other goods, including washing machines, microwaves, and refrigerators. http://www.nytimes.com/2016/10/13/business/international/samsung-galaxy-note7-profit-battery-fires.html
I am wondering whether this is a harbinger of a much broader problem: When batteries, in particular those containing lithium (and maybe future technologies we don't yet know), are discarded, on their own or still inside the device they have been feeding, what happens next? Hopefully, most batteries will be dismantled and/or recycled in a safe manner. But it is inevitable that some will end up in places where they don't really belong: Landfills, incinerators, shredders, or just left or dropped somewhere. As time passes, these may eventually corrode or get punctured somehow, potentially leading to fires, maybe years or decades after the end of their useful lives. Note: We are talking not just about the rather small batteries of mobile phones, but also larger ones for e.g., e-bikes, household and garden machines, tools, electric cars. Does anybody have a feel for how real this problem is? Will discarded batteries remain time bombs forever, or are they likely to degrade gracefully into something less hazardous after some time?
Please report problems with the web pages to the maintainer