The RISKS Digest
Volume 31 Issue 97

Tuesday, 9th June 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Democracy Live Internet voting: unsurprisingly insecure, and surprisingly insecure
Specter and Halderman with Andrew Appel's comments via PGN
More on Internet e-voting: Swiss Post purchases Scytl
Report Details New Cyber Threats to Elections From Covid-19
Maggie Miller
IBM ends all facial recognition business as CEO calls out bias and inequality
Cox slows an entire neighborhood's Internet after one person's'excessive use'
Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them.
Big brands bring the fight to Big Tech
System Security Integration Through Hardware and Firmware
DARPA via Richard Stein)
2018 War Game Scenario has Gen Z Revolting
Skullcap SaVant via goodfellow
A Million-Mile Battery From China Could Power Your Electric Car
I wrote this law to protect free speech. Now Trump wants to revoke it.
Ron Wyden via CNN
Programming ‘language’: Brain scans reveal coding uses same regions as speech
Medical Express
Cisco's Warning: Critical Flaw in IOS Routers Allows ‘Complete System Compromise’
Liam Tung
False Negative Tests for SARS-CoV-2 Infection—Challenges and Implications
Re: Just Stop the Superspreading
Atilla Wol Amos Shapir Rob Slade
Info on RISKS (comp.risks)

Democracy Live Internet voting: unsurprisingly insecure, and surprisingly insecure (Specter and Halderman, with Andrew Appel's

“Peter G. Neumann” <neumann@CSL.SRI.COM>
Tue, 9 Jun 2020 10:29:39 PDT

A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan) <> demonstrates that the OmniBallot Internet voting system from Democracy Live <> is fatally insecure. That by itself is not surprising, as no known technology could make it secure. What is surprising is all the /unexpected/ insecurities that Democracy Live crammed into OmniBallot—and the way that Democracy Live skims so much of the voter's private information.

Andrew Appel <> has posted an extremely relevant article in Freedom-to-Tinker:

The OmniBallot Internet voting system from Democracy Live finds surprising new ways to be insecure, in addition to the usual (severe, fatal) insecurities common to all Internet voting systems.

There's a very clear scientific consensus that “the Internet should not be used for the return of marked ballots” because “no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.” That's from the National Academies 2018 consensus study report <>, consistent with the May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA. <>

More on Internet e-voting: Swiss Post purchases Scytl (SwissInfo)

“Peter G. Neumann” <>
Tue, 9 Jun 2020 10:11:57 PDT

Swiss Post set to relaunch its e-voting system | Sonia Fenazzi/SwissInfo <> The controversial issue of e-voting is back: Swiss Post, which had halted the development of a project in July 2019, has bought a Spanish-owned system and plans to propose a platform ready for testing by 2021.

Opposition to the plans of Swiss Post remains strong. The purchase was reported on May 17 by the SonntagsBlick newspaper, who wrote that the deal between Swiss Post and Spanish firm Scytl had been settled for an unspecified amount.

The deal follows the bankruptcy of the Spanish company, with whom Swiss Post had been working on a system until flaws discovered last year sparked a political debate, which ended in the government dropping e-voting plans for the time being.

Swiss Post spokesperson Oliver Fl=C3=BCeler confirmed to that last summer, despite the opposition, his company decided to continue developing a system on its own, and “after several months of negotiations” it secured the rights to the source code from Scytl.

The aim is now to propose an e-vote system by 2021 that “takes into account various federal particularities” and “responds even better to the high and specific requirements of a Swiss electronic voting system”, Fl=C3=BCeler said.

He added that Swiss Post takes public concerns about security and the role of foreign suppliers very seriously, but insisted that it doesn't plan to go it completely alone.

“In future, Swiss Post will increasingly cooperate with Swiss universities of applied sciences, other higher education institutions and encryption experts,” he said. And “to guarantee maximum security at all times, Swiss Post “will reissue the new improved source code so that independent national and international experts can verify any weaknesses”.


E-voting was first introduced in Switzerland on a limited basis in 2003, as part of ongoing tests. However, political opposition and skepticism over the safety of such a voting channel has been a constant over the years, and again with this latest twist, not everyone is happy.

Franz Gr=C3=BCter, a right-wing parliamentarian who also heads a people's initiative calling for a moratorium on e-voting projects in Switzerland, criticised the Swiss Post move and called for a parliamentary inquiry.

“There are good reasons to check whether Swiss Post—a state-controlled company—acted correctly and paid a fair price, because the whole thing seems to lack transparency,” he said.

The parliamentarian and IT entrepreneur added: “It's hard to believe that Swiss Post has paid an undisclosed price for a system which we already know doesn't work properly. In other countries, too, Scytl systems have experienced major problems. Perhaps that's precisely why the company went bankrupt”.

He said Swiss Post should have started from scratch and developed an entirely new system, “which could have restored trust and therefore considerably reduced opposition to e-voting”—an opposition that is widespread in Swiss political circles. [PGN truncated for RISKS]

Report Details New Cyber Threats to Elections From Covid-19 (Maggie Miller)

ACM TechNews <>
Mon, 8 Jun 2020 12:04:29 -0400 (EDT)

Maggie Miller, The Hill, 5 Jun 2020 via ACM TechNews, Monday, June 8, 2020

A report compiled by New York University's Brennan Center for Justice outlines a wide range of cyber threats stemming from voting changes prompted by Covid-19. Such threats include attempts to target election officials working on unsecured networks at home, recovering from voter registration system outages, and securing online ballot request systems. Report co-author Lawrence Norden said election officials already dealing with cyber threats now face additional challenges due to the pandemic. Election-security upgrades come with funding challenges because of Covid-19 disruptions, and the Brennan Center calculates $4 billion must be appropriated to make needed changes. Said Norden, “There is no question that what Congress can do, and really has to do very soon, is provide more money to states and localities so they can invest in election security over the next few months.”

IBM ends all facial recognition business as CEO calls out bias and inequality (TechCrunch)

Lauren Weinstein <>
Mon, 8 Jun 2020 18:54:33 -0700

Cox slows an entire neighborhood's Internet after one person's ‘excessive use’ (Engadget)

Lauren Weinstein <>
Tue, 9 Jun 2020 10:44:34 -0700

Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. (NYTimes)

Monty Solomon <>
Tue, 9 Jun 2020 09:53:48 -0400

Federal prosecutors in Manhattan are investigating a global hacker-for-hire operation that sent phishing emails to environmental groups, journalists and others.

Big brands bring the fight to Big Tech (Politico)

Richard Stein <>
Tue, 9 Jun 2020 17:28:19 +0800

The EU's Digital Services Act proposes platform rules to suppress and prevent counterfeit IP sales, such as fraudulent-branded women's accessories (handbags, shoes, etc.), that appear for sale on, Facebook, Alibaba. (

The platforms now practice voluntary fraud prevention efforts: “Amazon said the company invested ‘over $500 million in 2019 and has more than 8,000 employees protecting [their] store from fraud and abuse.’”

“Despite these efforts, ‘it's still like comparing Chernobyl with [the Three Mile Island nuclear accident in] Harrisburg, Pennsylvania,’ Daniel Wellington's Sj�strand said.”

Policing (inspecting and certifying) platform supplier bona fides, and the authenticity of brand-name sale items is time-consuming, difficult to fulfill, slows inventory turnover in warehouses, etc. The platforms have instituted policing for personnel protective equipment during the COVID-19 Pandemic. Why not continue this practice for less vital goods?

The affected consumer brands (Nike, LVMH, Coach, Kate Spade, etc.) hemorrhage profits from an escalating sales velocity of highly desirable, and apparently good enough, knock-offs. One business' profit is another business' expense.

Counterfeit consumer item sales liability will be challenging to resolve and enforce internationally.

Counterfeit internet sales is big business for the ethically-challenged and the criminally-inclined. estimates the tab at US$ 1.77T in 2015 and growing. Millions of jobs at risk, stock prices gutted, salaries and bonuses cut, reputations risked, etc.

System Security Integration Through Hardware and Firmware (DARPA)

Richard Stein <>
Tue, 9 Jun 2020 10:05:53 +0800

“Electronic system security has become an increasingly critical area of concern for the DoD and more broadly for security of the U.S. as a whole. Current efforts to provide electronic security largely rely on robust software development and integration. Present responses to hardware vulnerability attacks typically consist of developing and deploying patches to the software firewall without identifying or addressing the underlying hardware vulnerability. As a result, while a specific attack or vulnerability instance is defeated, creative programmers can develop new methods to exploit the remaining hardware vulnerability and a continuous cycle of exploitation, patching, and subsequent exploitations ensues.&8221;

“The System Security Integration Through Hardware and Firmware (SSITH) program seeks to break this cycle of vulnerability exploitation by developing hardware security architectures and associated design tools to protect systems against classes of hardware vulnerabilities exploited through software, not just vulnerability instances. Areas of exploration that are targeted by SSITH include anomalous state detection, meta-data tagging, and churning of the electronic attack surface. The goal of the program is to develop ideas and design tools that will enable system-on-chip (SoC) designers to safeguard hardware against all known classes of hardware vulnerabilities that can be exploited through software, such as exploitation of permissions and privilege in the system architectures, memory errors, information leakage, and code injection. To accomplish its goal, SSITH seeks to encourage collaboration between research teams, commercial teams, and traditional DoD performers to provide robust and flexible solutions applicable to both DoD and commercial electronic systems.”

Constructive to subdue microcode-enabled exploits. Formal methods (FM) (see have been applied in some cases.

During the 1980s, I seem to recall the INMOS transputer applied FM to demonstrate IEEE-754 floating-point verification compliance.

Once implemented, will the IP comprising the tools and their test cases be immunized against unauthorized access or from theft?

2018 War Game Scenario has Gen Z Revolting

Skullcap SaVant <>
Mon, Jun 8, 2020 at 7:14 AM

This article is a wonderful piece of sleuthing. This news outlet received (via FOIA request) documents detailing a war game scenario that was conducted in 2018 which forecasted a future of revolution by 2025, that would be conducted by GEN Z. The scenario's trigger points are SPOT ON with the current unrest in the world, but sped up by 5 years because of the “unknown unknown” of COVID.

The scenario includes GEN Z educating each other on how to use the dark web and thus teaching them to be a generation of “Cyber Punks” which know how to hack and cover their tracks. The wargame plays out with corporations being the most vulnerable, as GEN Z will enact their own form of vigilante justice by siphoning the digital bank accounts of the largest companies and convert it to bitcoin… only to be redistributed to the masses “Robin Hood” style.

Pentagon War Game Includes Scenario for Military Response to Domestic Gen Z Rebellion


In the face of protests composed largely of young people, the presence of America's military on the streets of major cities has been a controversial <> development. But this isn't the first time that Generation Z—those born after 1996—has popped up on the Pentagon's radar.

Documents obtained by The Intercept via the Freedom of Information Act reveal that a Pentagon war game, called the 2018 Joint Land, Air and Sea Strategic Special Program, or JLASS, offered a scenario in which members of Generation Z, driven by malaise and discontent, launch a “Zbellion” in America in the mid-2020s.

The Zbellion plot was a small part of JLASS 2018, which also featured scenarios involving Islamist militants in Africa, anti-capitalist extremists, and ISIS successors. The war game was conducted by students and faculty from the U.S. military's war colleges, the training grounds for prospective generals and admirals. While it is explicitly not a national intelligence estimate, the war game, which covers the future through early 2028, is “intended to reflect a plausible depiction of major trends and influences in the world regions,” according to the more than 200 pages of documents.

According to the scenario, many members of Gen Z—psychologically scarred in their youth by 9/11 and the Great Recession, crushed by college debt, and disenchanted with their employment options—have given up on their hopes for a good life and believe the system is rigged against them. Here's how the origins of the uprising are described: […]

A Million-Mile Battery From China Could Power Your Electric Car (Bloomberg)

geoff goodfellow <>
Mon, 8 Jun 2020 09:38:21 -1000

CATL ready to sell pack that lasts 16 years, chairman says Milestone could bring EV ownership costs down, boost demand

The Chinese behemoth that makes electric-car batteries for Tesla Inc. and Volkswagen AG developed a power pack that lasts more than a million miles — an industry landmark and a potential boon for automakers trying to sway drivers to their EV models.

Contemporary Amperex Technology Co. Ltd. is ready to produce a battery that lasts 16 years and 2 million kilometers (1.24 million miles), Chairman Zeng Yuqun said in an interview at company headquarters in Ningde, southeastern China. Warranties on batteries currently used in electric cars cover about 150,000 miles or eight years, according to BloombergNEF.

Extending that lifespan is viewed as a key advance because the pack could be reused in a second vehicle. That would lower the expense of owning an electric vehicle, a positive for an industry that's seeking to recover sales momentum lost to the coronavirus outbreak and the slumping oil prices that made gas guzzlers more competitive. […]

Ron Wyden: I wrote this law to protect free speech. Now Trump wants to revoke it. (CNN)

Lauren Weinstein <>
Tue, 9 Jun 2020 10:47:57 -0700

Programming ‘language’: Brain scans reveal coding uses same regions as speech (Medical Express)

Dave Farber <>
Mon, 8 Jun 2020 13:56:22 +0900

Cisco's Warning: Critical Flaw in IOS Routers Allows ‘Complete System Compromise’ (Liam Tung)

ACM TechNews <>
Mon, 8 Jun 2020 12:04:29 -0400 (EDT)

Liam Tung, ZDNet, 4 Jun 2020 via ACM TechNews, Monday, June 8, 2020

Cisco has released information on four security flaws impacting router equipment that uses its IOS XE and IOS networking software. One flaw involves the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE, which could allow a non-credentialed remote attacker to execute Cisco IOx application-programming-interface commands without proper authorization. Another flaw is a command-injection bug in Cisco's implementation of the inter-virtual machine (VM) channel of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers and Cisco 1000 Series Connected Grid Routers. The software inadequately validates signaling packets routed to the Virtual Device Server (VDS), which could allow attackers to send malware to an affected device, hijack VDS, and completely compromise the system. The two remaining bugs involve a vulnerability in Cisco's 800 Series industrial routers, through which hackers could remotely execute arbitrary code or cause it to crash and reload. Cisco says it has delivered updates to address the critical flaws affecting its industrial routers.

False Negative Tests for SARS-CoV-2 Infection—Challenges and Implications (NEJM)

Dewayne Hendricks <>
June 8, 2020 at 22:22:54 GMT+9

[Note: This item comes from friend David Rosenthal. DLH]

False Negative Tests for SARS-CoV-2 Infection—Challenges and Implications By Steven Woloshin, M.D., Neeraj Patel, B.A., and Aaron S. Kesselheim, M.D., J.D., M.P.H. Jun 5 2020 <>

There is broad consensus that widespread SARS-CoV-2 testing is essential to safely reopening the United States. A big concern has been test availability, but test accuracy may prove a larger long-term problem.

While debate has focused on the accuracy of antibody tests, which identify prior infection, diagnostic testing, which identifies current infection, has received less attention. But inaccurate diagnostic tests undermine efforts at containment of the pandemic.

Diagnostic tests (typically involving a nasopharyngeal swab) can be inaccurate in two ways. A false positive result erroneously labels a person infected, with consequences including unnecessary quarantine and contact tracing. False negative results are more consequential, because infected persons—who might be asymptomatic—may not be isolated and can infect others.

Given the need to know how well diagnostic tests rule out infection, it's important to review assessment of test accuracy by the Food and Drug Administration (FDA) and clinical researchers, as well as interpretation of test results in a pandemic.

The FDA has granted Emergency Use Authorizations (EUAs) to commercial test manufacturers and issued guidance on test validation.1 The agency requires measurement of analytic and clinical test performance. Analytic sensitivity indicates the likelihood that the test will be positive for material containing any virus strains and the minimum concentration the test can detect. Analytic specificity indicates the likelihood that the test will be negative for material containing pathogens other than the target virus.

Clinical evaluations, assessing performance of a test on patient specimens, vary among manufacturers. The FDA prefers the use of “natural clinical specimens” but has permitted the use of “contrived specimens” produced by adding viral RNA or inactivated virus to leftover clinical material. Ordinarily, test-performance studies entail having patients undergo an index test and a “reference standard” test determining their true state. Clinical sensitivity is the proportion of positive index tests in patients who in fact have the disease in question. Sensitivity, and its measurement, may vary with the clinical setting. For a sick person, the reference-standard test is likely to be a clinical diagnosis, ideally established by an independent adjudication panel whose members are unaware of the index-test results. For SARS-CoV-2, it is unclear whether the sensitivity of any FDA-authorized commercial test has been assessed in this way. Under the EUAs, the FDA does allow companies to demonstrate clinical test performance by establishing the new test's agreement with an authorized reverse-transcriptase-polymerase-chain-reaction (RT-PCR) test in known positive material from symptomatic people or contrived specimens. Use of either known positive or contrived samples may lead to overestimates of test sensitivity, since swabs may miss infected material in practice.1

Designing a reference standard for measuring the sensitivity of SARS-CoV-2 tests in asymptomatic people is an unsolved problem that needs urgent attention to increase confidence in test results for contact-tracing or screening purposes. Simply following people for the subsequent development of symptoms may be inadequate, since they may remain asymptomatic yet be infectious. Assessment of clinical sensitivity in asymptomatic people had not been reported for any commercial test as of June 1, 2020.

Two studies from Wuhan Province, China, arouse concern about false negative RT-PCR tests in patients with apparent Covid-19 illness. In a preprint, Yang et al. described 213 patients hospitalized with Covid-19, of whom 37 were critically ill.2 They collected 205 throat swabs, 490 nasal swabs, and 142 sputum samples (median, 3 per patient) and used an RT-PCR test approved by the Chinese regulator. In days 1 through 7 after onset of illness, 11% of sputum, 27% of nasal, and 40% of throat samples were deemed falsely negative. Zhao et al. studied 173 hospitalized patients with acute respiratory symptoms and a chest CT “typical” of Covid-19, or SARS-CoV-2 detected in at least one respiratory specimen. Antibody seroconversion was observed in 93%.3 RT-PCR testing of respiratory samples taken on days 1 through 7 of hospitalization were SARS-CoV-23 positive in at least one sample from 67% of patients. Neither study reported using an independent panel, unaware of index-test results, to establish a final diagnosis of Covid-19 illness, which may have biased the researchers toward overestimating sensitivity.

In a preprint systematic review of five studies (not including the Yang and Zhao studies), involving 957 patients (“under suspicion of Covid-19” or with “confirmed cases”), false negatives ranged from 2 to 29%.4 However, the certainty of the evidence was considered very low because of the heterogeneity of sensitivity estimates among the studies, lack of blinding to index-test results in establishing diagnoses, and failure to report key RT-PCR characteristics.4Taken as a whole, the evidence, while limited, raises concern about frequent false negative RT-PCR results.

If SARS-CoV-2 diagnostic tests were perfect, a positive test would mean that someone carries the virus and a negative test that they do not. With imperfect tests, a negative result means only that a person is less likely to be infected. To calculate how likely, one can use Bayes' theorem, which incorporates information about both the person and the accuracy of the test (recently reviewed5). For a negative test, there are two key inputs: pretest probability—an estimate, before testing, of the person's chance of being infected—and test sensitivity. Pretest probability might depend on local Covid-19 prevalence, SARS-CoV-2 exposure history, and symptoms. Ideally, clinical sensitivity and specificity of each test would be measured in various clinically relevant real-life situations (e.g., varied specimen sources, timing, and illness severity).

Assume that an RT-PCR test was perfectly specific (always negative in people not infected with SARS-CoV-2) and that the pretest probability for someone who, say, was feeling sick after close contact with someone with Covid-19 was 20%. If the test sensitivity were 95% (95% of infected people test positive), the post-test probability of infection with a negative test would be 1%, which might be low enough to consider someone uninfected and may provide them assurance in visiting high-risk relatives. The post-test probability would remain below 5% even if the pretest probability were as high as 50%, a more reasonable estimate for someone with recent exposure and early symptoms in a “hot spot” area.

But sensitivity for many available tests appears to be substantially lower: the studies cited above suggest that 70% is probably a reasonable estimate. At this sensitivity level, with a pretest probability of 50%, the post-test probability with a negative test would be 23%—far too high to safely assume someone is uninfected.

Re: Just Stop the Superspreading (Baker, RISKS-31.96)

Attila the Hun <>
Mon, 8 Jun 2020 12:46:57 +0100

In Just Stop the Superspreading (Arthur T., RISKS-31.95), Henry Baker attributes the statement: “If you think education is expensive, try ignorance”, to Derek Bok, a President of Harvard University.

Although, in 1978, Ann Landers credited Bok with saying this, in 1998 she wrote that Bok had contacted her and disclaimed authorship of the quotation.

A source of the statement might well be a 1902 advertisement for a Conservatory of Music in Ottumwa, Iowa, which included: “Education is expensive but ignorance is more so.” Who amended it to the form more commonly known appears to be unknown.

Re: Just Stop the Superspreading (Baker, RISKS-31.96)

Wol <>
Mon, 8 Jun 2020 17:50:08 +0100

I'll give you that—the general public—or rather journalists—love to talk about the average (the mean) but apply where it doesn't make sense.

And this is where your argument falls apart (and I lose patience with you). If you're going to slag other people off for poor science, DON'T DO IT YOURSELF.

You have just defined all “normal” distributions as the Bell Curve, which itself is NOT a normal distribution. It's rather rare in nature, which is why it's a bloody nuisance as being the easiest to understand but at the same time the least relevant to reality.

> For (ab)normal distributions, mean/median/mode can vary widely from one
> another, or may not even exist—e.g., the pathological, but not unusual,
> ‘Cauchy’ distribution (“applications of the Cauchy distribution … can be
> found in fields working with exponential growth” [Wikipedia]), which has
> neither a mean/expected value, nor avariance, nor a standard
> deviation, thus for the Cauchy distribution (and many other commonly
> occurring distributions) Arthur's phrase “the size of the standard
> deviation” is nonsensical.

I think the rule here is “know your distribution”, and don't apply the rules for one when the numbers are a different one. It's like the chi-squared test — it's tempting to use it more than you should because it seems good, but it's actually totally inappropriate under most circumstances.

> Takeaway: when some distribution is not ‘normal’, then our INTUITION FAILS
> US.

Let me rephrase that—when the distribution is not a Bell Curve, then the General Public will completely misunderstand it.

> The sign on an abnormal distribution should read: “Abandon all
> intuition, ye who enter here”.  Something is dreadfully wrong when the
> variance/standard deviation or even the mean/expected value does not exist.
> Even when the mean/‘expected value’ does exist for such an abnormal
> distribution, it is almost always misleading and/or useless.  Perhaps it
> would be more appropriate to call such a mean ‘the SUSpected value’!:-)

I think you think you are talking about pretty much anything outside of a Bell Curve. But other distributions are also well understood (by statisticians).

For example, your beloved (ab)normal SuperSpreader distribution is just a normal skewed distribution—the same distribution and maths associated with salaries, actually—and I would think that is well understood!

(And while I would not claim to be a statistician, having studied Statistics, Relativity and Quantum Mechanics at Uni, I can at least spot a bullshit argument relatively <groan> easily.)

Re: Just Stop the Superspreading (Baker, Risks 31.96)

Amos Shapir <>
Tue, 9 Jun 2020 11:24:37 +0300

The way I've heard it, when one asks “Why do models use the normal distribution?”, statisticians say “We don't know, the mathematicians tell us it's easier to calculate that way”, and mathematicians say “We don't know, the statisticians tell us this is what happens in the real world”.

Re: Just Stop the Superspreading (Baker, RISKS-31.96)

Rob Slade <>
Tue, 9 Jun 2020 08:25:06 -0700
> and with Avagadro's number of ‘independent’ variables

Does that mean we have a mole influencing our decisions?

Please report problems with the web pages to the maintainer