The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 88

Tuesday 25 October 2016

Contents

Russian Suspected of Hacking U.S. Tech Companies Is Indicted
The NYTimes
Radio interference disables cars and cell phones in Evanston
ARRL via Ed Ravin
Report on "Ethics of AI"
John Horgan
As Artificial Intelligence Evolves, So Does Its Criminal Potential
The NYTimes
Pittsburgh's new artificially intelligent stoplights could mean no more pointless idling
Chris Weller
Re: Self-driving cars shouldn't have to choose who to protect in a crash
tanner andrews
Samsung washing machines in Australasia hot issue since 2013
Donald Mackie
China's Total Information Awareness?
Simon Denyer
Every LTE call, text, can be intercepted, blacked out, hacker finds
The Register
Unneeded Services Foster Botnets and other security problems
Bob Gezelter
Kevin Marks: Internet becoming unreadable, lighter thinner fonts
LW
Al Mac
Dyn Statement on the 21 Oct 2016 DDoS Attack
Kyle York PGN-ed
Hacked Cameras, DVRs Powered Today's Massive Internet Outage
Brett Glass
German voting system, for comparison
Thomas Koenig
Re: Undetectable election hacking?
Mark Brader
Paul Edwards
David Brodbeck
The Right to be Forgotten for posts sitting in a moderator's queue
Dan Jacobson
Info on RISKS (comp.risks)

Russian Suspected of Hacking U.S. Tech Companies Is Indicted (The NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 22 Oct 2016 17:13:09 -0400
Yevgeniy Aleksandrovich Nikulin, 29, was arrested in Prague this month on
charges that he hacked into networks at LinkedIn, Dropbox and Formspring.
http://www.nytimes.com/2016/10/22/business/russian-suspected-of-hacking-us-tech-companies-is-indicted.html


Radio interference disables cars and cell phones in Evanston (ARRL)

Ed Ravin <eravin@panix.com>
Sat, 22 Oct 2016 23:40:07 -0400
Using the radio spectrum as a replacement for physical locking mechanisms
like ignition keys means all the same issues/attacks facilitated by an
unfettered access medium (like the Internet or wifi) are now applicable to
starting a car.  Man-in-the-middle and replay attacks have already been
demonstrated against automobile keyfobs, so it was only a matter of time
before a denial-of-service attack would show up.

http://www.arrl.org/news/amateur-radio-sleuthing-pins-down-source-of-strange-rf-interference

"Police in Evanston, Illinois, contacted the ARRL Lab, after an apparent
interference source began plaguing wireless vehicle key fobs, cell phones,
and other wireless electronics. Key fob owners found they could not open or
start their vehicles remotely until their vehicles were towed at least a
block away, nor were they able to call for help on their cell phones when
problems occurred. [...]"

"The interference source turned out to be a recently replaced neon sign
switching-mode power supply, which was generating a substantial signal
within the on-street parking area just across the sidewalk, between 8 and 40
feet from the sign. [...]"


Report on "Ethics of AI"

John Horgan <jhorgan@stevens.edu>
October 22, 2016 at 11:39:33 AM EDT
  [via Dave Farber]

"How Would an AI Cover an AI Conference?"

"... I spent last weekend at New York University listening to philosophers,
scientists and engineers jaw about Ethics of Artificial Intelligence.  How
can we ensure that driverless cars, drones and other smart technologies --
such as algorithms that decide whether a human gets parole or a loan or has
breast cancer—are used ethically? Also, what happens if machines get
really smart? Can we design them to be nice to us? Do we have to be nice to
them? Speakers responded to these questions in a welter of ways, as did
members of the audience. How should I write it up? Too many choices!..."

https://blogs.scientificamerican.com/cross-check/how-would-ai-cover-an-ai-conference/


As Artificial Intelligence Evolves, So Does Its Criminal Potential (The NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 23 Oct 2016 19:15:22 -0400
The next generation of online attack tools used by criminals will add
machine learning capabilities pioneered by AI researchers.

http://www.nytimes.com/2016/10/24/technology/artificial-intelligence-evolves-with-its-criminal-potential.html


Pittsburgh's new artificially intelligent stoplights could mean no more pointless idling (Chris Weller)

Dewayne Hendricks <dewayne@warpspeed.com>
October 23, 2016 at 10:43:35 AM EDT
[Note:  This item comes from friend Mike Cheponis.  DLH] (via Dave Farber)

Chris Weller, Flipboard, 22 Oct 2016
Pittsburgh's new artificially intelligent stoplights could mean no more pointless idling
https://flipboard.com/@flipboard/flip.it%2Fv0Bx8s-pittsburghs-new-artificially-intelligen/f-d4fc5638da%2Fbusinessinsider.com

Traffic lights are finally getting smarter in Pittsburgh.

Thanks to a new pilot program from the tech startup Rapid Flow Technologies,
Steel City now boasts 50 intersections whose stoplights are running
artificial intelligence software known as Surtrac that reduces wait times on
empty or lightly-traveled roads.

Since Surtrac was first introduced in 2012, the Rapid Flow team estimates
the AI stoplights have cut emissions by 21%, travel times by 25%, and idling
times by 40%.

The magic of Surtrac is that it bundles each stoplight into an intelligent
network "that moves all the vehicles it knows about through the intersection
in the most efficient way possible," Rapid Flow CEO Steve Smith said at the
recent White House Frontiers Conference, according to IEEE Spectrum.

Surtrac relies on a system of cameras and radar sensors that detect traffic
patterns in particular areas. When one area starts to see more traffic --
during rush hour, for example—the other stoplights use a proprietary set
of algorithms to adjust their timing accordingly.

The result is a smarter city that operates more like a living, breathing
organism than just a static patch of roads.

Pittsburgh has recently been a popular site for urban-planning
innovation. In August, the city played host to Uber's first rollout of
self-driving cars. Uber selected Pittsburgh because of its odd assortment of
narrow, one-way streets mixed with steep hills and a staggering 446 bridges,
all of which make it an ideal setting for testing the limits of AI.

As IEEE Spectrum reports, Surtrac isn't the only smart traffic-management
system. There are others in Utah, California, and Washington. But unlike
those systems, the stoplights in Pittsburgh don't need a jumble of wires run
beneath the city streets or the help of a central command to run.

In Pittsburgh, Surtrac allows the lights to talk to one another
independently, based only on the feedback from the sensors and cameras. They
essentially think for themselves. ...


Re: Self-driving cars shouldn't have to choose who to protect in a crash

tanner andrews <tanner@payer.org>
Mon, 24 Oct 2016 11:20:09 -0400 (EDT)
Sure, it is worth considering whether the computer should choose to plow
into the large on-coming vehicle, or into the kids in the road.  However,
this presumes way too much.

At this stage, I may be able to figure out that there is a large on-coming
vehicle.  But can the computer be sure it is a truck, as opposed to a
re-purposed school bus full of field workers?  Or a newer school bus which
is full of kids?  Or, for that matter either of these two buses, but having
just unloaded the passengers?

And if we can make the correct identification, would it really be prudent to
slam into the truck, thereby strewing flaming diesel oil, truck parts, and
RISKS reader parts, all through the row of kids?  Which I am hoping we
correctly identified.


Samsung washing machines in Australasia hot issue since 2013

Donald Mackie <donald@iconz.co.nz>
Sat, 22 Oct 2016 12:19:27 +1300
Recall in Australia and NZ in 2013. Ours was *fixed* under the original
recall.  Supposedly added a water shield for some of the electronics.
Subsequent publicity about the number of unfixed machines led us to call
again, one of us thought it had been fixed, the other couldn't recall [*].
Answer was that it had been done but they would send a tech out anyway to
check on it. He came and replaced pretty well all electronics at no charge.
We now have another machine.

http://www.stuff.co.nz/business/industries/82013858/Some-recalled-Samsung-washing-machines-caught-fire-after-being-repaired

  [* That's certainly a common line elsewhere: "I couldn't recall."  PGN]


China's Total Information Awareness? (Simon Denyer)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 22 Oct 2016 4:04:12 PDT
Simon Denyer, *The Washington Post*, 22 Oct 2016
The world as Total Information Awareness would have been, now brought to you
by the People's Republic of China...
https://www.washingtonpost.com/world/asia_pacific/chinas-plan-to-organize-its-whole-society-around-big-data-a-rating-for-everyone/2016/10/20/1cd0dd9c-9516-11e6-ae9d-0030ac1899cd_story.html?


Every LTE call, text, can be intercepted, blacked out, hacker finds

Lauren Weinstein <lauren@vortex.com>
Sun, 23 Oct 2016 20:45:56 -0700
*The Register* via NNSquad
http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/

  The Third Generation Partnership Project (3GPP) telco body has known of
  the hack since at least 2006 when it issued a document describing Zhang's
  forced handover attack, and accepts it as a risk. The 3GPP's SA WG3
  working group which handles security of LTE and other networks proposed in
  a May meeting that it would refuse-one-way authentication and drop
  encryption downgrade requests from base stations.


Unneeded Services Foster Botnets and other security problems

"Bob Gezelter" <gezelter@rlgsc.com>
Sun, 23 Oct 2016 01:45:09 -0700
From the category of "when will they ever learn": Embedded devices (e.g.,
IoT) should, almost by definition, exclude all but absolutely required
services.  Back doors (e.g., telnet and ssh connections) create attack
surface which can, and will be exploited.

The October 21 DDoS attack against DNS provider Dyn widely disrupted access
to many popular web sites [*]. Internet-connected devices (e.g., cameras,
baby monitors, and routers) are implicated in the attacking botnet.

According to an article published recently by Ars Technica, the devices
subverted into the botnet appear to have run BusyBox, and had the telnet
protocol enabled. Why, pray tell, was telnet enabled on a embedded devices
sold to consumers?

  "Both Mirai and Bashlight exploit the same IoT vulnerabilities, mostly or
  almost exclusively involving weakness involving the telnet remote
  connection protocol in devices running a form of embedded Linux known as
  BusyBox. But unlike Bashlight, the newer Mirai botnet software encrypts
  traffic passing between the infected devices and the command and control
  servers that feed them instructions. That makes it much harder for
  researchers to monitor the malicious network. There's also evidence that
  Mirai is able to seize control of Bashlight-infected devices and possibly
  even patch them so they can never be infected again by a rival
  botnet. About 80,000 of the 963,000 Bashlight devices now belong to Mirai
  operators, Drew said."

If this is correct, it is an example of a completely preventable incident.

The complete Ars Technica article can be found at:
http://arstechnica.com/security/2016/10/brace-yourselves-source-code-powering-potent-iot-ddoses-just-went-public/

Bob Gezelter, http://www.rlgsc.com

  [* Actually, Dyn was involved in only a relatively small portion of the
     what happened.  PGN]


Internet becoming unreadable, lighter thinner fonts (Kevin Marks)

Lauren Weinstein <lauren@vortex.com>
Sun, 23 Oct 2016 19:06:01 -0700
Kevin Marks, *The Telegraph* via NNSquad
http://www.telegraph.co.uk/science/2016/10/23/internet-is-becoming-unreadable-because-of-a-trend-towards-light/

  Where text used to be bold and dark, which contrasted well with
  predominantly white backgrounds, now many websites are switching to light
  greys or blues for their type.  Award winning blogger Kevin Marks, founder
  of Microformats and former vice president of web services at BT, decided
  to look into the trend after becoming concerned that his eyesight was
  failing because he was increasingly struggling to read on screen text.

ALSO:
https://lauren.vortex.com/2016/10/01/google-launches-a-new-consolidated-blog-good-with-a-new-unreadable-font-awful


Internet becoming unreadable, lighter thinner fonts (Kevin Marks)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 25 Oct 2016 08:43:57 -0500
I have long asserted, that as we grow older, our vision is less easy to
handle poor contrast.  Light print on dark background, in small print, can
lead to the light print blurring.  As institutions abandon testing, they
forget that poor contrast means they are writing off elderly clients - they
don't want their web site readable to elderly population, and soon they
don't care, because they no longer have such people as customers.  People
who design things on desk tops, with high tech, and do not test how readable
that is on hand held screens, or by users with lower tech, fail to realize
that they have created web designs unreadable for large swaths of the
population.  Then there are the visually impaired.  Some nations mandate
that they should have Internet access.  Most sites ignore such laws.

Did you ever wonder why the phone directory yellow pages is in black on
yellow?  It is because that is most readable and eyes-friendly to the most
population.  Phone book publishers wanted to maximize who can see their
stuff.  Apparently many web designers do not share that concept.

Now we have someone in the Tech biz, rediscovering and sharing the truth
that a great deal of the Internet is being made unreadable to much of the
population which wants such access.

Internet is becoming unreadable because of a trend towards lighter, thinner
fonts [..]

The Internet is becoming less readable because of a trend towards lighter
and thinner fonts, making it difficult for the elderly or visually-impaired
to see words clearly, a web expert has found.  [..]

Blogger Kevin Marks, founder of Microformats and former vice president of
web services at BT, decided to look into the trend after becoming concerned
that his eyesight was failing because he was increasingly struggling to read
on screen text.

He found a 'widespread movement' to reduce the contrast between the words
and the background, with tech giants Apple, Google and Twitter all altering
their typography.

True black on white text has a contrast ratio of 21:1 - the maximum which
can be achieved. Most technology companies agree that it is good practice
for type to be a minimum of 7:1 so that the visually-impaired can still see
text.

But Mr Marks, found that even Apple's own typography guidelines, which
recommended 7:1 are written in a contrast ratio of 5.5:1.

Google's guidelines also suggest a 7:1 contrast ratio, but 54 per cent
opacity of display, which brings the ratio down to 4.6:1.

Mr Marks, who has been named one of the Telegraph's 50 must influential
Britons in technology,  said the changes risk undermining the universal
reach of the Internet. "The typography choices of companies like Apple and
Google set the default design of the web, and these two drivers of design
are already dancing on the boundaries of legibility," he warned on the
technology site Backchannel.
https://backchannel.com/how-the-web-became-unreadable-a781ddc711b6#.pek0uyhcp

[I was able to read that site fine in Google Chrome, but it was a totally
blank unreadable screen via MSFT IE.]

"If the web is relayed through text that's difficult to read, it curtails
the open access by excluding large swaths of people such as the elderly, the
visually impaired, or those retrieving websites through low quality screens.
[.]

How easy-to-read is your font?
https://cf-particle-html.eip.telegraph.co.uk/6686b0f6-0f8b-4803-b872-0864a8a2b284.html

[.]
US based Web Accessibility Initiative <https://www.w3.org/WAI/>, which came
up with the original ratio formula in 2008 to help web designers said too
little contrast made web pages 'confusing and frustrating'
[..]
Mr Marks said that reducing the contrast risked alienating some users.

"To arbitrarily throw away contrast based on a fashion that looks good on my
perfect screen in my perfectly lit office is abdicating designer's
responsibilities to the very people for whom they are designing," he said.
"My plea to designers and software engineers: Ignore the fads and go back to
the typographic principles of print.

"You'll be making things better for people who read on smaller, dimmer
screens, even if their eyes aren't aging like mine. It may not be trendy,
but it's time to consider who is being left out by the web's aesthetic."

[..]
http://www.telegraph.co.uk/science/2016/10/23/internet-is-becoming-unreadable-because-of-a-trend-towards-light/


Dyn Statement on the 21 Oct 2016 DDoS Attack (Kyle York)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sat, 22 Oct 2016 13:32:16 -1000
Kyle York, Dyn Chief Strategy Officer, 22 Oct 2016
<http://hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack>

  [Note: Check the URL for the complete message.  It has been PGN-pruned
  here, because the statement comes across as more of a PR message).]

It's likely that at this point you've seen some of the many news accounts
of the Distributed Denial of Service (DDoS) attack Dyn sustained against our
Managed DNS infrastructure this past Friday, October 21. We'd like to take
this opportunity to share additional details and context regarding the
attack. At the time of this writing, we are carefully monitoring for any
additional attacks. Please note that our investigation regarding root cause
continues and will be the topic of future updates. It is worth noting that
we are unlikely to share all details of the attack and our mitigation
efforts to preserve future defenses.   [Thanks omitted]

Attack Timeline

Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack.
While it's not uncommon for Dyn's Network Operations Center (NOC) team to
mitigate DDoS attacks, it quickly became clear that this attack was
different (more on that later). Approximately two hours later, the NOC team
was able to mitigate the attack and restore service to customers.
Unfortunately, during that time, Internet users directed to Dyn servers on
the East Coast of the US were unable to reach some of our customers' sites,
including some of the marquee brands of the Internet. We should note that
Dyn did not experience a system-wide outage at any time—for example,
users accessing these sites on the West Coast would have been successful.

After restoring service, Dyn experienced a second wave of attacks just
before noon ET. This second wave was more global in nature (i.e. not
limited to our East Coast POPs), but was mitigated in just over an hour;
service was restored at approximately 1:00 pm ET. Again, at no time was
there a network-wide outage, though some customers would have seen extended
latency delays during that time.

News reports of a third attack wave were verified by Dyn based on our
information. While there was a third attack attempted, we were able to
successfully mitigate it without customer impact.

Dyn's operations and security teams initiated our mitigation and customer
communications process through our incident management system. We practice
and prepare for scenarios like this on a regular basis, and we run
constantly evolving playbooks and work with mitigation partners to address
scenarios like these.

What We Know

At this point we know this was a sophisticated, highly distributed attack
involving 10s of millions of IP addresses. We are conducting a thorough
root cause and forensic analysis, and will report what we know in a
responsible fashion. The nature and source of the attack is under
investigation, but it was a sophisticated attack across multiple attack
vectors and Internet locations. We can confirm, with the help of analysis
from Flashpoint and Akamai, that one source of the traffic for the attacks
were devices infected by the Mirai botnet. We observed 10s of millions of
discrete IP addresses associated with the Mirai botnet that were part of
the attack.  [More thanks omitted]

Thank You Internet Community

On behalf of Dyn, I'd like to extend our sincere thanks and appreciation to
the entire Internet infrastructure community for their ongoing show of
support. We're proud of the way the Dyn team and the Internet community of
which we're a part came together to meet yesterday's challenge. Dyn is
collaborating with the law enforcement community, other service providers,
and members of the Internet community who have helped and offered to help.
The number and type of attacks, the duration, the scale, and the complexity
of these attacks are all on the rise. As a company, we have for years worked
closely with the Internet community to assist when others encountered
attacks like these and will continue to do so.  [...]


Hacked Cameras, DVRs Powered Today's Massive Internet Outage

Brett Glass <brett@lariat.net>
Sunday, October 23, 2016
While my small ISP couldn't do much about the massive denial of service
attacks that plagued the Internet this week (except to answer the phone
calls from frustrated customers who could not use Twitter, Disqus, and other
services which relied on Dyn as a DNS provider), we could at least make sure
that we were not contributing to the attacks—and we did.

We blocked incoming attacks by the Mirai worm (which was creating the
botnet that executed the DDoS attacks), monitored our network for
vulnerable camera systems that were attempting to participate in it (there
was only one—a cheap, Chinese DVR rebranded and resold by a company in
New Jersey to one of our rural customers), and set up a honeypot to capture
the code.

The thing which was embarrassing (or should have been) was that the code for
the worm was simpler and easier to analyze than that of the infamous Morris
worm, which was released on the Internet in 1988. It simply brute-forced
certain vulnerable systems via Telnet, using default passwords, and then
wormed its way into the affected systems via the shell.  No need for "stack
smashing" exploits or fancy, hand-assembled machine code; the systems were
such sitting ducks that none of that was necessary to turn them into bots.

The owner of the infected DVR had no idea that he'd bought a vulnerable
piece of equipment, one for which software updates were not available and
whose security holes could not be closed—only shielded from outside
attacks via a firewall and VPN. He was incredulous that anyone would even be
ALLOWED to sell a device that insecure, or that the FCC—via its unwise
and illegal "network neutrality" regulations—would require ISPs like me
to leave them exposed to attacks by default.

As an ISP, an engineer, and an embedded system developer, all I can say is,
"I told you so."


German voting system, for comparison

Thomas Koenig <tkoenig@netcologne.de>
Sun, 23 Oct 2016 22:11:04 +0200
First, there is no voter registration per se.  Everybody who moves house is
required by law to report to the registry office ("Einwohnermeldeamt"). This
office keeps track of everybody's date of birth and nationality, so they
know when somebody is eligible for voting.

A few weeks before the election, everybody who may vote is sent voting
cards.  These can be used to request ballots, if the person wants to do
this, they send in a the voting card, get a ballot, fill it out and send it
back by mail in an envelope inside an envelope.  The outer envelopes are
opened, and the inner envelopes stored someplace at the appropriate office.
How replacement of ballots is prevented there, I don't know.

On voting day (which is usually a Sunday), people go to the polling station,
where they present their voting cards.  If they have lost them, or forgotten
them at home, they can show their ID cards instead, which everybody in
Germany is required to have by law.

The name is checked against a list of voters, and it is marked that that
person has voted.

Voting is done on paper ballots; you make a cross inside a circle next to
the name of the candidate or party you choose.

Counting is done by hand, by volunteers or by draft. The counting process is
open to everybody.  Parties which have suspected of being cheated have urged
their members to attend the counting process to report irregularities.

Paper ballots are kept to allow a recount.  This has changed the result of
elections in the last years a few times, leading to one additional seat
given to the AfD in state elections in Bremerhaven after pupils miscounted
badly, or to the ruling red-green coalition losing its majority in Cologne
one year after the election.


Re: Undetectable election hacking? (Kramer, Risks-29.87)

Mark Brader
Sat, 22 Oct 2016 20:37:57 -0400 (EDT)
Mark Kramer writes:
> In the US Presidential elections people are not voting for parties. They are
> not even voting for the people named on the ballot...
>
> In the US, people are actually voting state-by-state for people called
> "electors", who are appointed by each state to participate in the Electoral
> College. Those electors actually cast the final votes for the President.
> They are supposed to be sworn to vote for the person (not the party) who won
> the state-wide popular vote, but I believe there have been cases of
> defection in the past. And even though the official "election" is assumed by
> many to close at 8PM local time and all the hoopla starts over who won and
> lost, it truly doesn't even take place until December when the Electoral
> College meets to cast their ballots.
>
> This system was designed and described in the US Constitution when it was
> first written.

In fact, nothing in the US Constitution has ever specified (1) that when the
public votes to choose the electors, the names on the ballot should be those
of the presidential candidates they have sworn to vote for; (2) that
electors should be pledged to vote for a particular candidate at all; or for
that matter (3) that electors should be chosen through a public vote at all.
All of these things have been false in some cases.

The present system where all these things are true is one that has arisen on
top of the constitutional one—and may reasonably be considered to have
subverted the original notion that the choice of the president was too
important to leave up to the general public.

Incidentally, it is also not true (4) that the Electoral College meets.
Actually, as the constitution specifies, there are 51 separate meetings of
the electors, one in each state and one in DC.  The results from each state
are sent to Washington and opened and tabulated in the presence of Congress.


Re: Undetectable election hacking? (Smith, RISKS-29.86)

Paul Edwards <paule@cathicolla.com>
Sat, 22 Oct 2016 14:10:24 +1100
> Australia has begun registering voters automatically.

This might be news to the Australian Electoral Commission, the body
responsible for administering the electoral roll and running federal
elections in Australia.

Do you have a source for this assertion?

http://www.aec.gov.au/enrol/ suggests that enrolling is still a voter-initiated process.

> That's because Australia has instant run-off voting and proportional
> representation, so the number of minority votes in a given district could
> affect future elections.

To clarify for RISKS readers, Australia has a bicameral parliament. The
lower house (House of Reps) is a winner-take-all proposition on a
seat-by-seat basis, which uses a preferential run-off system. Thus the
disgruntled voter can send a message to the major party by voting for a
candidate who has no chance to win, and preferencing their
preferred/least-evil major party candidate second. As such, such a vote
won't influence future elections, but may (in theory) cause a rethink of
policy platforms.

The upper house (Senate) is proportional representation, also using a
preferential run-off system, but one that is now different to the lower
house (after a law change earlier this year).

It's worth noting that despite the mythology around Australian voting, it's
not compulsory to vote in Australia. If you are not on the roll, you don't
have to vote. If you are on the electoral roll, on election day you have an
obligation to attend a voting centre and have your name marked off the
roll. That's enough to avoid the fine. (For me, I also go the next step and
actually vote). The population of Australia is ~24 million; on election day
in 2016 there were 15.7 million folks on the electoral roll, with a turnout
of 14.3 million (91% turnout). (source for the latter two stats:
http://results.aec.gov.au/20499/Website/HouseTurnoutByState-20499.htm )


Re: Undetectable election hacking? (Smith)

David Brodbeck <david.m.brodbeck@gmail.com>
Fri, 21 Oct 2016 21:14:19 -0700
"It happens to be a very common comparison because Diebold's ATM machines
are extremely accurate."

This is true, but it's largely because the criteria for a voting machine
are almost exactly opposite those of an ATM.

An ATM doesn't just need to accurately record your input, it also:
a) Keeps an identifiable record of what transaction you made.
b) Allows your actions (and in many cases your photo) to be correlated with
   the final result, if there's a need to audit it later.  The ATM security
   model revolves heavily around the idea that only you have your PIN and
   card combo, so the machine can know with certainty who you are.

By contrast, a voting machine:
a) must NOT retain identifying information
b) must NOT be able to correlate any one vote with a specific individual.

If we didn't have the secret ballot, we could build our voting machines like
ATMs and verifying votes would be easy, but that's not the way we've chosen
to structure our democracy.

Also, you might be overestimating how secure the average ATM is.  Most are
internally just commodity PC hardware running a consumer operating system;
this used to be Windows CE but I don't know what the OS of choice is now,
since I haven't worked on one in about 10 years.


The Right to be Forgotten for posts sitting in a moderator's queue

Dan Jacobson <jidanni@jidanni.org>
Mon, 24 Oct 2016 07:43:18 +0800
* User accidentally cuts and pastes his entire family bank records to the
  bottom of a post. But now it is in the moderator queue and user is late to
  the airport for a long trip.

* If it was an unmoderated post already posted, the user could easily edit
  it, but now it sits like a ticking time bomb in the moderator's queue, for
  how long, nobody knows, as the moderator is on a trip of his own.

* User is turning purple in horror, considering asking the government for
  assistance in stopping the pending possible disastrous release of personal
  information.

* Or: at 06:00 user makes a libelous post that gets queued. 10:00 user and
  party B agree to an out of court settlement. User wishes to stop potential
  post, but cannot! 12:00 moderator approves post leading to
  misunderstandings on all sides, and even violence.

* Or: N. Koreans launch a missile headed for the U.S. When halfway there the
  two sides reach a peace agreement. However there is no ABORT button to
  stop the missile!

Please report problems with the web pages to the maintainer

Top