https://www.sandiegouniontribune.com/news/us-politics/la-na-pol-voting-by-phone-20190516-story.html With their playbook for pushing government boundaries as a guide, some Silicon Valley investors are nudging election officials toward an innovation that prominent coders and cryptographers warn is downright dangerous for democracy. Voting by phone could be coming soon to an election near you. As seasoned disruptors of the status quo, tech pioneers have proven persuasive in selling the idea, even as the National Academies of Science, Engineering and Medicine specifically warn against any such experiment. The fight over mobile voting pits technologists who warn about the risks of entrusting voting to apps and cellphones against others who see Internet voting as the only hope for getting most Americans to consistently participate on election day. "There are so many things that could go wrong," said Marian Schneider, president of Verified Voting, a coalition of computer scientists and government transparency advocates pushing for more-secure elections. "It is an odd time for this to be gaining momentum." [PGN-truncated for RISKS. Lots more on Bradley Tusk, who is spearheading vote-by-phone, and Voatz, with responses from Josh Benaloh, who responds that this is just `Magic beans', also relating to using blockchains: Blockchains "don't solve any of the problems," Benaloh said. "They actually introduce new ones, and make things worse." Worth reading in its entirety if you believe this is a good idea! PGN-ed]
Martin Matishak and Gary Fineout, Politico Florida lawmakers once again railed against the FBI on Thursday for its handling of the investigation into Russian election tampering in the state, and expressed skepticism that the intrusion didn't alter voter rolls. After a briefing with the FBI about its investigation into the 2016 cyber-attacks, members of the state's congressional delegation blasted the bureau for not even revealing the names of the affected counties for almost three years. "I don't know who the hell they think they are not to share that information with us," said Republican Rep. Matt Gaetz. Congressional lawmakers just found out Thursday the identities of the counties but did not reveal the names to reporters following the closed-door meeting with FBI officials. Thursday's briefing marked the latest chapter in the ongoing saga since March, when special counsel Robert Mueller issued his redacted report on Russian interference in the 2016 election, which concluded that at least one Florida county had been hacked. While the FBI and Department of Homeland Security say they have "no evidence" the voter databases were tampered with by Russian hackers, "there's more to follow there," said Rep. Michael Waltz (R-Fla.) said during a Capitol Hill press conference that followed a classified briefing from the agencies. "We have a lot of questions across our delegation on how the FBI came to that determination," added Waltz. He noted bureau officials were "very clear" that voter rolls were not manipulated and that the election results were not impacted by the breaches. Rep. Debbie Mucarsel-Powell (D-Fla.) likewise said lawmakers weren't able to get with "certainty" that the databases had been left alone, explaining the FBI told them hackers were able to "enter the garage" but "not the house" of the two county networks. Still, the revelations that Russian hackers were able to penetrate another Florida county do raise new troubling questions about the scope of Moscow's attempts to tamper with the 2016 presidential election, which has been the subject of much confusion. Incumbent Sen. Bill Nelson, a Democrat, asserted that Russians had successfully hacked Florida's systems, Sen. Rick Scott assailed him on the campaign trail, demanding proof and calling the comment “irresponsible''. D Scott, a Republican and governor at the time, unseated Nelson in November. Scott, who had his own briefing a day earlier, said in a statement he had urged the FBI to divulge the name of the two counties the Russians successfully targeted but that he was “confident'' in Florida's election security efforts. He also defended his attacks on Nelson, saying “the FBI could not provide any evidence to support the claims about security during the 2018 election made by then-Senator Nelson, which confirms the conclusion of both the FBI and the Department of Homeland Security at the time.'' Scott's statement, however, is not completely accurate. His campaign also assailed Nelson for asserting that the Russians obtained access in 2016. Additionally, the DHS last year said the Russians were unable to access “vote tallying systems'' in 2016. They said nothing at the time about accessing voter information records. After a meeting with the FBI and DHS last week, Florida Gov. Ron DeSantis Tuesday held a press conference where he revealed that two counties had been breached. However, the FBI made him sign a nondisclosure agreement to not reveal details of the meeting. Waltz said the FBI sent “multiple warnings'' to state officials about the possible threat, held a conference call with local leaders and had a "back and forth" with vendors responsible for the voter database software. While the FBI argued it couldn't reveal the names in order to "protect sources and methods" and because the bureau had labeled the supervisor of elections in the counties as the "victims," members still expressed bipartisan outrage over the level of secrecy surrounding the 2016 hacks. Rep. Stephanie Murphy (D-Fla.), who along with Waltz originally requested Thursday's briefing, called the lack of transparency “~counter-productive'' and predicted it would erode confidence in the election systems. Lawmakers said they asked FBI and DHS to go back and review their notification system, adding they asked a lot of questions about the nature of the communications between the bureau and local and state officials. Rep. Darren Soto (D-Fla.) said it was "critical" that members come together to support legislation that would require DHS to brief the congressional delegations of states that had been targeted or successfully hacked. Murphy said the delegation had asked the FBI to review if the information shared Thursday could be made available before the 2020 elections. There is "more work that needs to be done," she said.
Maggie Miller, The Hill, 15 May 2019 Senate Dems introduce election security bill requiring paper ballots https://thehill.com/policy/cybersecurity/443809-senate-dems-introduce-election-security-bill-requiring-paper-ballots Sen. Ron Wyden (D-Ore.) and a group of 12 other senators introduced a bill Wednesday to mandate the use of paper ballots in U.S. elections and also ban all Internet, Wi-Fi and mobile connections to voting machines in order to limit the potential for cyber interference. Wyden's office described the Protecting American Votes and Elections (PAVE) Act as “providing the strongest protections for American elections of any proposal currently before Congress.'' <https://www.wyden.senate.gov/imo/media/doc/Protecting American Votes and Elections Act of 2019 Bill Text.pdf> The legislation would also give the Department of Homeland Security the power to set minimum cybersecurity standards for U.S. voting machines, authorize a one-time $500 million grant program for states to buy ballot-scanning machines to count paper ballots and require states to conduct risk-limiting audits of all federal elections in order to detect any cyber hacks. Among the bill's co-sponsors are 2020 presidential candidates Sens. Bernie Sanders (I-Vt.),Elizabeth Warren (D-Mass.), Cory Booker (D-N.J.), Kirsten Gillibrand (D-N.Y.), and Kamala Harris (D-Calif.). Rep. Earl Blumenauer (D-Ore.) is planning to introduce a companion bill in the House. “The Russian government interfered in American elections in 2016 and if we don't stop them, they and other governments are going to do it again,'' Wyden said in a statement. “The administration refuses to do what it takes to protect our democracy, so Congress has to step up. Our bill will give voters the confidence they need that our elections are secure.'' Blumenauer said that “if the 2016 and 2018 elections taught us anything, it is that our election security systems are woefully inadequate.'' [...]
Spyware created by a sophisticated group of hackers-for-hire took advantage of a flaw in the WhatsApp communications program used by more than 1.5 billion people worldwide to remotely hijack dozens of phones, the company said late Monday. The Financial Times identified the firm as Israel's NSO Group, and WhatsApp all but confirmed the identification. WhatsApp described the hackers to CBS News as having "all the hallmarks of a private company that works with a number of governments around the world," adding to The Associated Press that they do so "to deliver spyware." A spokesman for the Facebook subsidiary later told the AP: "We're certainly not refuting any of the coverage you've seen." WhatsApp also told CBS News, "We have made information available to U.S. law enforcement for further review. We may make additional information available as appropriate."... https://www.cbsnews.com/news/whatsapp-flaw-let-hackers-install-spyware-on-cellphones-when-people-made-or-got-calls/ [See also Attacks used app's call function. Targets didn't have to answer to be infected, noted by Monty Solomon: https://arstechnica.com/information-technology/2019/05/whatsapp-vulnerability-exploited-to-infect-phones-with-israeli-spyware/ PGN]
Facebook busts Israel-based 'fake news' campaign to disrupt elections worldwide (The Japan Times) https://www.japantimes.co.jp/news/2019/05/17/business/facebook-busts-israel-based-fake-news-campaign-disrupt-elections-worldwide/?appsule=1&idfa=2FA29BF3-DF21-40C3-BD24-C3937A2D1577#.XN4NthKRWnM
https://www.theguardian.com/world/2019/may/15/israeli-tv-eurovision-webcast-hacked-with-fake-missile-alert The online stream of the Eurovision semi-finals in Israel was hacked to show warnings of a missile strike and images of blasts in the host city, Tel Aviv. The website for KAN's television stations was interrupted on Tuesday evening -“ just as the competition's first round was beginning “ with a fake alert from Israel's army telling of an impending attack. Messages such as: “Risk of Missile Attack, Please Take Shelter'' and: “Israel is NOT Safe. You Will See!'' appeared on the screen. Animated satellite footage showed explosions in the coastal city.
[Bruce's Crypto-gram has so many RISKS-worthy items that I am going to stop trying to pick out a few. Here I picked a few items to list from the table of contents of his latest issue, and only the first item. I urge some of you to subscribe. PGN] Bruce Schneier, CTO, IBM Resilient email@example.com https://www.schneier.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit Crypto-Gram's web page https://www.schneier.com/crypto-gram.html Read this issue on the web https://www.schneier.com/crypto-gram/archives/2019/0515.html ** *** ***** ******* *********** ************* ** IN THIS ISSUE: [PGN-excerpted just a few items] * China Spying on Undersea Internet Cables * Vulnerabilities in the WPA3 Wi-Fi Security Protocol * More on the Triton Malware * New DNS Hijacking Attacks * Iranian Cyberespionage Tools Leaked Online * Excellent Analysis of the Boeing 737 Max Software Problems * Vulnerability in French Government Tchap Chat App * Fooling Automated Surveillance Cameras with Patchwork Color Printout * Stealing Ethereum by Guessing Weak Private Keys * Why Isn't GDPR Being Enforced? * Malicious MS Office Macro Creator * Leaked NSA Hacking Tools * Amazon Is Losing the War on Fraudulent Sellers * Another NSA Leaker Identified and Charged * Cryptanalyzing a Pair of Russian Encryption Algorithms * Reverse Engineering a Chinese Surveillance App * Cryptanalysis of SIMON-32/64 ** CHINA SPYING ON UNDERSEA INTERNET CABLES https://www.schneier.com/blog/archives/2019/04/china_spying_on.html Supply chain security is an insurmountably hard problem. The recent focus is on Chinese 5G equipment, but the problem is much broader. This opinion piece looks at undersea communications cables. https://www.bloomberg.com/opinion/articles/2019-04-09/china-spying-the-internet-s-underwater-cables-are-next But now the Chinese conglomerate Huawei Technologies, the leading firm working to deliver 5G telephony networks globally, has gone to sea. Under its Huawei Marine Networks component, it is constructing or improving nearly 100 submarine cables around the world. Last year it completed a cable stretching nearly 4,000 miles from Brazil to Cameroon. (The cable is partly owned by China Unicom, a state-controlled telecom operator.) Rivals claim that Chinese firms are able to lowball the bidding because they receive subsidies from Beijing. Just as the experts are justifiably concerned about the inclusion of espionage "back doors" in Huawei's 5G technology, Western intelligence professionals oppose the company's engagement in the undersea version, which provides a much bigger bang for the buck because so much data rides on so few cables. This shouldn't surprise anyone. For years, the US and the Five Eyes have had a monopoly on spying on the Internet around the globe. Other countries want in. As I have repeatedly said, we need to decide if we are going to build our future Internet systems for security or surveillance. Either everyone gets to spy, or no one gets to spy. And I believe we must choose security over surveillance, and implement a defense-dominant strategy.
https://www.nytimes.com/2019/05/14/us/facial-recognition-ban-san-francisco.html It is the first ban by a major city on the use of facial recognition technology by the police and all other municipal agencies.
[via Dave Farber] "Rising inequality in Britain risks putting the country on the same path as the US to become one of the most unequal nations on earth, according to a Nobel-prize winning economist. Sir Angus Deaton is leading a landmark review of inequality in the UK amid fears that the country is at a tipping point due to a decade of stagnant pay growth for British workers. The Institute for Fiscal Studies thinktank, which is working with Deaton on the study, said the British-born economist would “point to the risk of the UK following the U.S.''—which has extreme inequality levels in pay, wealth and health. Speaking to The Guardian at the launch of the study, he said: There's a real question about whether democratic capitalism is working, when it's only working for part of the population." https://www.theguardian.com/inequality/2019/may/14/britain-risks-heading-to-us-levels-of-inequality-warns-top-economist
Marissa Higgins, Daily Kos, 13 May 2019 https://www.dailykos.com/stories/2019/5/13/1857360/-Poll-says-that-56-of-Americans-don-t-want-kids-taught-Arabic-numerals-We-have-some-bad-news [...] An astounding 56% of Americans said Arabic numerals should not be taught in American schools. Arabic numerals. Which are, you know, the ones we use. [1,2,3, etc.] Is there an explanation that doesn't have to do with bigotry? I think not. Islamophobia is a huge problem in the U.S. My guess (and the only explanation I can gather) is that people read `Arabic' and immediately went negative. Gross.
Intel-specific vulnerability was found by researchers both inside and outside the company. https://arstechnica.com/gadgets/2019/05/new-speculative-execution-bug-leaks-data-from-intel-chips-internal-buffers/
https://www.bbc.com/news/technology-48294788 Mario Puzo wrote that "A lawyer with his briefcase can steal more than a hundred men with guns." "What is known as 'crime as a service' has been a growing feature in recent years, allowing organised crime gangs to switch from their traditional haunts of drugs to much more lucrative cyber-crime." CaaS only requires quick hands to type faster than law enforcement can apprehend criminals. CaaS proudly exploits IaaS, PaaS, and SaaS. Risk: Internet-based business resilience and continuity, critical infrastructure, etc.
Patrick Howell O'Neill, Gizmodo, 14 May 2019 [Note: This item comes from reader Randall Head. DLH] https://gizmodo.com/ransomware-is-putting-a-damper-on-our-smart-city-future-1834731404 Last month, we found out that hackers took down a county government in California. Around the same time, a city in Maine lost control of all its data. These followed New York state's capital, Albany, admitting that hackers had crippled the city's technology operations, which means just about everything important in the city was taken down. And just last week, Baltimore was hit by a successful ransomware attack that demanded 13 bitcoin to decrypt city files that were being held hostage. The world is supposed to be launching into a dazzling smart city future where governments are always connected and, therefore, move quicker and more efficiently than before. But if that's where we're going, we have to deal with the fact that many cities fall victim to profit-driven hackers. The weapon often used against cities is ransomware, a type of malware designed to gain access, take control of important data and then demand money to end the ensuing crisis. It's a popular extortion-hacking scheme that's now seeing a new source of success. American governments, particularly cities, states, law enforcement agencies, and schools, are being increasingly targeted by ransomware, according to a new report from the cybersecurity firm Recorded Future. At least 170 government systems have been attacked since 2013, according to public reports. And there have been 21 attacks so far this year, Recorded Future found, and 2019 is on pace to tally the highest ever number of ransomware attacks against cities. But due to the lack of transparency and accountability, there are likely more attacks unknown to both the public and many defenders. Is this due to an overall rise in ransomware attacks, or is it a result of more cities bringing their systems online? No one knows the full answer because, thanks to a lack of transparency and information sharing rules, no one knows fully what's happening. In a time when American cities are struggling to deal with crumbling infrastructure—bad roads, collapsing bridges, old hospitals—it's becoming increasingly clear that vulnerable networks ought to be added to the list of decaying necessities in dire need of an upgrade. With the emergence of the so-called smart city, in which everything is connecting to the Internet—including those very same roads, bridges, and hospitals -- the challenges facing cities loom even larger. “We see with cities coming online in every respect so that when ransomware takes them offline, how much it affects constituents,'' Recorded Future's Allan Liska told Gizmodo. “Atlanta had everything in the `smart city', so even court systems were taken offline, no one could pay anything through the city because the systems were taken offline.'' Cities around the country are racing to become `smart'. Tech and federal money along with an undeniable popular sentiment to modernize government is driving the push to connect. But it's one thing to let an algorithm direct road crews or build a facial recognition system to identify drivers—it's an entirely different issue to have cities prepared to deal with the inevitable security problems that will pop up. That's to say nothing of the looming privacy concerns of smart cities.
RISKS-31.21-23 have had several posts on this item: My knowledge of modern passenger aircraft design and operation is negligible, along with the relationships between manufacturers and airlines, but obviously there's an enormously-complicated combination of systems interacting here. Topics like these are not well covered by mainstream media, so it's useful to have informed debates in forums like RISKS. Investigations are still ongoing as I write. Personally, I find it NOT useful to have soap opera-style name-calling, intentionally avoiding scientific rigour to maximise emotional impact. Total safety is pretty easy to achieve, it just needs infinite quantities of time, money, and resources. In real life these are all restricted, so compromises are necessary. A good design isn't one which is almost perfect but never gets made because it's too expensive, it's one which makes the best trade-offs between conflicting demands, which in turn require value judgments, which is one reason why we have agreed safety standards. The safety of aircraft can always be improved by spending more money, but the planes have to be low-cost enough for airlines to afford to buy or lease them, and the tickets affordable for passengers, and air-related businesses have to make money or they go bust. It's easy to be wise with hindsight.
A couple of posts in Risks Digest 31.22 seemed related: > Abilify MyCite adds the electronic tracking component and, at $1,650 a > month, costs almost 30 times as much as a 30-day supply of generic Abilify > at a Costco pharmacy. How much would a daily visit from a carer cost? If one carer had only three people to look after, then this would save nearly $60,000 a year to cover their employment. There would also be a number of other benefits, besides ensuring that the patient takes their medication. > resident physicians in a busy emergency room spent 28 percent of their > work time with patients and 43 percent on data entry, during which they > made 4,000 keystrokes. Providing each physician with a secretary proficient in typing and medical terminology would appear to allow them to at least double the time they spend with patients, while costing far less than doubling the number of physicians. But in a Capitalist economy the technological solution is much more attractive than the human solution: because there is more profit to be made from a technological solution, and profit is everything!
> A friend of mine once opined that advertising was a zero-sum game. This is clearly incorrect: it can only be a negative-sum game. The name of the game (as with competition in so many other areas) is to try to hurt your opponent *more* than you hurt yourself. Then you have "won" the game. You seem to think it incredible that billions of dollars spent in advertising will actually have a measurable psychological effect on hundreds of millions of people. But advertising *works*: otherwise nobody would do it! > Attempts to introduce competition into the Soviet economy were a disaster. > However, attempts to run an economy (the Soviet economy again) without > competition were also a disaster. This is also factually incorrect. This Reddit post gives a carefully argued, factually supported, comparison between US capitalism and Soviet communism: https://old.reddit.com/r/LateStageCapitalism/comments/99o8mw/minimum_wage/ Let's unpack the idea that "Capitalism works". In the US, the most developed Capitalist country, the richest country in the history of the world: 1 out of every 7 US citizens needs to visit food banks to survive, despite having enough food to feed 10 billion people. Half of all food produced is thrown away by retailers. Empty homes outnumber the homeless by 6 to 1. Bank foreclosures and housing speculators have left 18.9 million empty homes. 2.5 million homeless children, or ~1 / 30. In the UK, there are 10x more empty houses than homeless families. UNICEF, RESULTS, and Bread for the World estimate that 15 million people die each year from preventable poverty, of whom 11 million are children under the age of five. In the US alone, 20-40k deaths every year because of lack of health insurance / care. On average, that's 300k over the last decade. Average US household carries ~$140k in debt. Median household income only $60k, 40% of millennials live with their parents. 8 men control as much wealth as half the worlds population. Anyone wanna take a guess at how this game of monopoly ends? 80% of US workers live paycheck to paycheck, 40% cannot cover a $400 emergency. US Life expectancy peaked in 2015, is on the decline, and is now lower than in China. Suicide rates have leaped more than 25% in the last 20 years. Committed countless atrocities, killing millions directly and indirectly across the globe. Imperialist network of 800 military bases in 70 countries. Most prisoners per capita AND by total. Makes sense, since prison is Capitalism's boarding house. Runs least 54 agricultural slave labor camps. Capitalist hegemony has short-circuited people into buying wildly illogical and ridiculous propaganda like: "Lift yourselves up by the bootstraps" (which shows the almost religious power of capitalist propaganda, that the impossible can become possible), or "Communism doesn't work", when in fact Communism did work extremely well. Examples from this post by /u/bayarea415 about the USSR specifically: * USSR had more nutritious food than the US (CIA). Calories consumed surpassed the US. Ended famines. Had the 2nd fastest growing economy of the 20th century after Japan. The USSR started out at the same level of economic development and population as Brazil in 1920, which makes comparisons to the US, an already industrialized country by the 1920s, even more spectacular. * Free Universal Health care, and most doctors per capita in the world. 42 doctors per 10,000 population, vs 24 in Denmark and Sweden, 19 in US. * Had zero unemployment, continuous economic growth for 70 straight years. The "continuous" part should make sense --- the USSR was a planned, non-market economy, so market crashes á la capitalism were pretty much impossible. * All education, including university level, free. * 99% literacy. * Saved the world from Fascism, killing 7 out of every 10 fascist soldier, bore the enormous cost of blood and pain). Nazis were in retreat after the battle of Stalingrad in 1942, a full 2 years before the US landed troops in normandy. * Doubled life expectancy. Eliminated poverty. * End gender inequality. Equal wages for men and women mandated by law, but gender inequality, although not as pronounced as under capitalism, was perpetuated in social roles. Very important lesson to learn. * End racial inequality. * Feudalism to space travel in 40 years. First satellite, rocket, space walk, woman, man, animal, space station, moon and mars probes. * Had zero homelessness. Houses were often shared by two families throughout the 20s and 30s--so unlike capitalism, there were no empty houses, but the houses were very full. In the 40s there was the war, and in the 50s there were a number of orphans from the war. The mass housing projects began in the 60s, they were completed in the 70s, and by the 70s, there were homeless people, but they often had genuine issues with mental health. Now let's take a look at what happens after the USSR collapse: * Life expectancy decreases by 10 years. 7.7 million excess deaths in the first year. * 40% of population drops into poverty. * GDP instantly halves. * One in ten children now live on the streets. Infant mortality increases. Was 29.3 in 2003 which is around (current) Syria and Micronesia, 7.9 in 2013. Infant mortality in USSR was 1.92, literally the lowest in the world. * 1996 election rigged by the US, Yeltsin sends in tanks to disperse the supreme soviet. For an overview of the soviet experiment, watch this brilliant talk by Micheal Parenti, or read his article, Left anticommunism, the unkindest cut. Also read this great article by Stephen Gowans, Do publicly owned, planned economies work?. Audio on youtube Bonus vid about cyber-communism: Paul Cockshott, Going beyond money. More sources: Socialism Crash Course, Socialism FAQ, Glossary. Follow this link for the above references: https://old.reddit.com/r/LateStageCapitalism/comments/99o8mw/minimum_wage/ > a profound discouragement to technical innovation That is the propaganda. The reality is (as discussed above): If you follow the Reddit links, then you will find that all of the above statements are supported with factual documentation. None of your statements come with any factual support. I am happy to continue the debate, but please can we stick to facts only and leave out the opinion and propaganda? Note: I am not suggesting that Communism is the ideal. I prefer G.K.Chesterton's Distributism to either Capitalism or Communism.
Please report problems with the web pages to the maintainer