RISKS Digest 28.37

Friday 21 November 2014

Electronic Election Fraud Apparent in Brazil; Done in America Today?

Andre Carezia <>

Date: Fri, 21 Nov 2014 10:17:37 +1100 (EST)

E-voting ruled out by Australian parliamentary committee

E-voting is highly vulnerable to hacking, a parliamentary committee has found.

Australians won't be using computers to vote in federal elections any time soon.

That's because it's still not as secret or secure as writing on a ballot paper, a parliamentary committee has concluded.

Dave Horsfall DTM (VK2KFU) "Bliss is a MacBook with a FreeBSD server.

Australia rules out e-voting

Dave Horsfall <>

Date: Tue, 18 Nov 2014 11:14:51 -0200

Twitter used to pass election polling information?

Harry Hochheiser <>

Date: Mon, 17 Nov 2014 17:26:03 -0500

Did the GOP use Twitter to break campaign finance law? Twitter profiles were meaningless without knowledge of how to find and decode them.

In 2010, the Supreme Court ruled in Citizens United that unions, groups, and nonprofit corporations had a First Amendment right to spend as much as they wanted on political campaigns. The only caveat was that they could not coordinate with the actual campaign they were campaigning for.

But CNN said Monday that the GOP employed Twitter to "stretch" Citizens United by using anonymous Twitter accounts to publicly share internal polling data to "signal to the campaign committees where to focus on precious time and resources."..

[Harry later added more:]

The blowback is part of the issue, isn't it? Perhaps the tweets were sent by Democrats who were hoping to pin something nefarious on the Republicans? Inherent risks of anonymity, to be sure, but arguably less risky than the alternative. Encrypted e-mail would have done the job almost as easily...

Auckland 'NewCore' project a year late and $100 million over budget

Richard A. O'Keefe <>

Date: Thu, 20 Nov 2014 14:45:20 +1300

Auckland is New Zealand's largest city. The wider Auckland region used to be split amongst 8 local bodies, but in 2010 the central government merged them into a single `super-city', holding 1/3rd of the country's population. The `NewCore' project was set up to make a new system to replace and improve on the existing eight IT systems.

See a slide deck on it:

The project had a $58 million capital budget and $13 million operating expenses. The first stage was expected to go live in May this year and the system was supposed to be finished in 2016. The expected cost benefit was $13.3 million dollars per year, with a net present value in late 2012 of $25.2 million.

The project so far a year late and $100 million over budget, about 4 times the NPV. This was reported in the *New Zealand Herald*, So far no special stupidities have been revealed. From the NZ Herald:

“IT engineers have discovered merging the eight systems from the previous councils to be more complex than originally thought. And not one of the existing systems was considered a good starting point. .. and the scope of NewCore has grown.''

Really, the only surprising thing is that anyone is surprised.

Drones Sighted by Pilots Landing at JFK Airport in NYC Show New Risks

Monty Solomon <>

Date: Fri, 21 Nov 2014 06:50:30 -0500

A string of drone sightings this week by airline pilots flying into John F. Kennedy International Airport highlights aviation risks posed by the increasingly popular unmanned aircraft. ...
*Wall Street Journal*

Ian Urbina: The Secret Life of Passwords

NYT via PGN <>

Date: Fri, 21 Nov 2014 12:05:53 PST

Ian Urbina, The Secret Life of Passwords: We despise them—yet we imbue them with our hopes and dreams, our dearest memories, our deepest meanings. They unlock much more than our accounts.
*The New York Times* Magazine, 19 Nov 2014

[Ian Urbina <> is seeking responses to his article, for a possible follow-up one. PGN]

Android source of spreading malware

NYT via PGN <>

Date: Fri, 21 Nov 2014 9:57:34 PST

Why mobile and consumer ISPs shouldn't censor encryption or the Net

John Gilmore <>

Date: November 19, 2014 at 8:31:04 PM EST

[From the Cryptography list. PGN]

> ...this was port 25 on Cricket > Wireless, a prepaid mobile subsidiary of AT&T, i.e., a consumer > network without static IP addresses or mail servers. > > > > Blocking port 25 on consumer networks to prevent outgoing spam, with > real mail submitted on port 587 with authentication, has been an ISP > best practice for over a decade.

I want to explore two of the assumptions in the above, that seem to be decisive for some people in the debate: "mobile" and "consumer".

The theory seems to be that in a "mobile" Internet provider (that is, one run by a cellphone company), more censorship is justifiable. And that in a "consumer" Internet provider, like one that sells residential DSL or cable service, more censorship is justifiable. In this theory, an uncensored Internet should only be available to end user nodes that are servers and backbone ISPs, because they can be trusted to handle it, and they have the bandwidth to deal with the traffic.

Let's talk about "consumer" first. The Internet is a peer-to-peer network. That has always been its strength, and one of the big things that distinguished it from the "master/slave" networks that preceded it like IBM's RJE, SNA, public networks like Telenet and Tymnet, and early computer communication services like MCI Mail, CompuServe and The Source. The Internet started with every peer able to talk to every other peer, with no nodes relegated to mere "clients" or "consumers". TCP is designed to make a working connection even if both nodes simultaneously and spontaneously reach out to each other, as opposed to having a "server" side lying in wait and a "client" side initiating connections. New applications and protocols such as multicast, instant messaging, VoIP, video conferencing, distributed source code control systems like git, Mobile IP, BitTorrent, Kademlia, federated social networking, and many others, including the Web which was invented dozens of years after the Internet, depend on this peer-to-peer behavior. When address exhaustion and NAT threatened peer-to-peer since the 1990s, the network evolved to continue offering peer-to-peer support, including IPv6 as the big fix, plus UPNP, NAT Traversal, dynamic DNS, supernodes, and other NAT circumvention technologies.

In a peer-to-peer network it doesn't work to designate some portions of the network as "consumers" or "clients" who don't get full access, and other portions of the network as "providers" or "servers" who do get full access. Servers can be placed anywhere in the network, and frequently are placed on "consumer" networks. For example, in the homes of engineers or entrepreneurs, in consumer Network Attached Storage boxes, in ethernet video cameras, and even in flying $500 quadcopters. Consumers (e.g. people) should have all the same rights on the network as providers (e.g. websites). Consumer devices (e.g. tablets) should have all the same rights on the network as provider devices (e.g. data center servers). A device's location on the network is not and should not be relevant. Many of the most transformative innovations have come from individual consumers like Bram Cohen or Linus Torvalds who created new protocols that run at the edge of the network (BitTorrent and git).

Now let's talk about "mobile". The theory is that mobile networks somehow should get more authority to censor or block traffic, because they have less total bandwidth available, or because their end nodes are "only" cellphones, or for reasons like those. Those arguments are largely specious, too.

First, cellphones have evolved into full blown pocket computers, and there are more of them in the world than there are desktop computers. If the broad social move from desktops to pocket computers means that their billions of users get fewer rights and capabilities than they had in the previous generation, there's something rotten at the heart of that theory. EFF was founded more than 20 years ago to counter exactly this kind of creeping removal of well accepted civil rights via technological change. Cellphone users should have all the same rights against censorship and rights to encrypt their transmissions, as desktop computer users and as server operators. Software that runs as a mobile "app" should have the same rights on the network as software that runs as a Linux desktop "package". And by the time when our cellphones shrink to run in our wristwatch, our eyeglasses, or in our bloodstreams, our always-on network should not deprive us of rights that we had back in the day when we had to unpack our computer from a bulky suitcase.

Second, it is easy for "mobile" networks to provide connectivity to full blown desktop computers or servers. USB mobile dongles are readily available and cheap. Mobile-based WiFi hotspots are readily available and cheap. The end nodes that connect to such hotspots, or use those dongles, should get no worse censorship and encryption policies than when they connect to a hardwired WiFi hotspot or to an Ethernet cable.

Third, telephone companies are now actively claiming that they cannot affordably provide wired communications services, so they are asking regulators to be able to withdraw wired services and offering ONLY "mobile" networks to their customers in entire regions. This got the most press coverage after East Coast floods destroyed wired infrastructure, but it is a covert nationwide strategy and every day a telco petitions a government somewhere to eliminate the telco's core requirement to provide wired service to every customer who wants it. So not only do "mobile" users in those regions become second-class customers, but EVERY user in those regions becomes a second class customer. If every user gets a more-censored Internet in this transition, we're back to the dystopia of technological evolution and telco manipulation destroying the valuable and important civil rights that we all once had.

Fourth, let's examine the "low bandwidth" theory. In many places on the earth, 3G and 4G and 5G mobile bandwidth exceeds the readily available bandwidth from wired Internet providers. DSL lines only reach tens of thousands of feet from a central office, relegating rural home users to dialup modems or satellite or other wireless feeds. Yet mobile cellular networks in rural areas often cover large geographical areas that hold few subscribers. This means that each subscriber gets a correspondingly large share of the total available bandwidth of the cell site, often making mobile cellular the highest-available end-user-bandwidth network.

Fifth, even where wired networks offer higher bandwidth than mobile, the absolute bandwidth offered on mobile networks today vastly exceeds the bandwidth that was available just a short time ago. The original ARPAnet's backbones were 56 kilobit/sec leased lines, as were the original high speed ISDN Internet connections offered in the 1990s. When the NSFnet took over from the ARPAnet, it ran on big 1500 kilobit (1.5 Megabit, T1) backbones. Almost every server in the mid-1990s had no better connection to the Internet. The NSFnet was later upgraded to a T3 (45 megabits) backbone, roughly the downstream speed of today's consumer cable modem—but that was enough for the entire North American continent. Most initial Internet users were on 14.4 kilobit dialup modems, eventually rising to 56 kilobit dialup. When the telco monopolies were forced to allow entrepreneurs to change the signaling on the last-mile wire to your telco central office, ADSL lines that ran a whole megabit or more (in one direction) became cheaply available to consumers and ordinary businesses. So getting back to the "mobile" theory, if your server is perfectly happy on a 1.5 megabit connection, why should you should get your access censored, your encryption blocked, and your application choices limited, depending whether your connection is a T1 line or a "mobile" dongle?

Sixth, after natural or man-made disasters, wired connectivity is often destroyed, flakey or unavailable. Mobile networks are much quicker to repair after a flood, war, or earthquake, and may not go down at all. For the resilience of our infrastructure, which includes Internet services and not just backbone connectivity, end users should be able to switch both their "clients" and their "servers" onto whatever networks are functioning, at any time. A company that runs its own mail server should not have mail delivery fail, or refuse encryption, because it was wise enough to provision itself with backup connectivity via a mobile network. If after a tornado you put your web server on port 80 on a mobile network while running the server on battery backup, the cellphone company should not censor it. In disasters the network has to be flexible, not rigid and coercive.

All these theories about why it's OK to censor Internet access, block certain services based on the whim of the ISP, and prevent end users from encrypting their traffic, come at their root from the monopoly nature of the underlying access media. In the heyday of the Internet, before these monopolies learned how to manipulate the regulators to prevent it, the monopolies were prohibited by law from telling you what phone numbers you could call, what ISP you could dial into, what protocols you could run over that modem, or who in the rest of the world you could communicate with. The telco couldn't stop you from calling the Internet—much as they dearly would have loved to—because they were a common carrier. And if your ISP developed crazy ideas about censorship, you could just dial into another ISP who had policies that suited you—or start your own ISP and attract customers who like having full rights and freedoms. I did exactly that in the 1990s, when the available ISPs told me that I as a "consumer" couldn't split down and share my net connection with anybody else.

The heart of today's "network neutrality" issue is that by falsely conflating the underlying broadband access media with "the Internet", and then deciding to leave both free of regulation, the regulators have abandoned that prohibition on discrimination. The FCC now allows the regulated monopolists to decide who you can talk to and what you can say to them. The fix is not to regulate the Internet. The fix is to regulate the underlying broadband access media—the phone wiring, cable wiring, fibers to your house or neighborhood, and wireless infrastructure—while preventing the infrastructure companies from forcing you to choose a particular "Internet" provider over that access medium. Thus over your cable modem you could buy Internet access from any of a dozen providers; over your cellular phone you could buy Internet access from the same dozen. The signals would be carried over a different medium, but neither the cable company nor the cellphone company could dictate which ISP you must use or on what terms you must access the Internet.

We see this problem again and again in different corners of different issues, including this "anti-spammers versus consumer privacy" issue, but it's really the same issue. The access providers don't want to be common carriers who are obliged to carry all traffic for everyone—because there's more money in getting a government granted monopoly and then being able to selectively sell access to that region, piecemeal, to the highest bidders. Like Comcast deciding that it won't take Netflix's traffic unless Netflix pays extra. Like T-Mobile deciding that you can't access from your phone (try it) because it publishes about the politics of drugs, and "drugs are bad". And like spam-weary ISPs deciding that you can't encrypt your email transmissions because it would make their particular choice of ineffective antispam measures even more ineffective.

John Gilmore

"Microsoft does it again, botches KB 2992611 SChannel patch"

Woody Leonhard via Gene Wirchenko <>

Date: Tue, 18 Nov 2014 10:52:53 -0800

Woody Leonhard, InfoWorld, 17 Nov 2014 Last Tuesday's MS14-066 causes some servers to inexplicably hang, AWS or IIS to break, and Microsoft Access to roll over and play dead

selected text:

Then there's the problem that Microsoft hasn't acknowledged. SQL Server guru Darren Myher puts it this way:

Security Update MS14-066 causes major performance problems in Microsoft Access/SQL Server applications... When the update is installed to a server running Microsoft SQL Server (So far, confirmed as issue with SQL Server 2008 R2, SQL Server 2012, SQL Server 2014) client applications that access the database via ODBC such as Microsoft Access clients pointing to SQL Tables encounter a major performance hit...

Our customers are reporting that this security update causes MAJOR performance problems in any Microsoft Access application with a SQL Server backend (any version). For example, a simple operation such as clicking from one line of an order to another (without performing ANY data updates) can take from 5 to 15 seconds! For users having to update hundreds of lines of orders, the application becomes nearly unusable—an activity that used to take 5 minutes could take complete.

Please, if you have not installed this update yet—DO NOT INSTALL IT to the SQL Server machine

"Malware served through rogue Tor exit node tied to cyber espionage group"

Lucian Constantin via Gene Wirchenko <>

Date: Tue, 18 Nov 2014 12:12:31 -0800

Lucian Constantin, Infoworld, 14 Nov 2014 There is strong evidence the malware dubbed OnionDuke was used to target European government agencies, F-Secure says

"ISACA survey shows security disconnect for breaches, wearables"

Maria Korolov via Gene Wirchenko <>

Date: Tue, 18 Nov 2014 10:57:17 -0800

Maria Korolov, *CSO*, 12 Nov 2014

Consumers aware of breaches, but don't care!

"How to lose customers with excessive security"

Galen Gruman via Gene Wirchenko <>

Date: Tue, 18 Nov 2014 11:01:18 -0800

Galen Gruman, InfoWorld, 18 Nov 2014 If your service or product security works like a prison, don't be surprised when users and customers go elsewhere

opening text:

I fired my bank last week because I got tired of getting entangled in security systems that ensured I would be unable to access my online banking for days at a time, especially when I was traveling. My local branch manager said I was hardly alone in leaving the bank, and it's a good object lesson for what happens when security becomes overkill.

"CASL restricts freedom of speech, academic paper argues"

Brian Jackson via Gene Wirchenko <>

Date: Tue, 18 Nov 2014 11:14:01 -0800

Brian Jackson, *IT Business*, 17 Nov 2014 CASL restricts freedom of speech, academic paper argues

opening text:

Since Canada's anti-spam law (CASL) came into effect July 1, many businesses have been scrambling to bring their communications practices into compliance -- and to understand what that compliance requires. But is the law itself even legal?

That's the question examined by a paper published in the journal Tech & Privacy by University of Windsor associate professor Emir Crowne. The paper argues CASL is unconstitutional under Canada's charter for several reasons:

High-school RISKS courses?

William Ehrich <>

Date: Wed, 19 Nov 2014 10:38:18 -0600

A phone call warns me that the IRS is about to file a suit against me. Call 202... for details.

Made me wonder whether there is a high-school course on phishing scams and similar RISKS. ... Those who don't yet have credit/debit cards or bank accounts won't pay attention or remember.

China blocks websites as Internet meeting begins

Lauren Weinstein <>

Date: Wed, 19 Nov 2014 08:17:42 -0800

AP item from The Stockmarket Watch (SMW) via NNSquad

"Chinese censors have newly blocked access to several popular websites as they target content delivery networks that serve much of the Internet, according to a U.S. Internet service company. The action comes as China hosts the World Internet Conference, which brings together many of the world's top technology companies."

Pay Phones in New York City Will Become Free Wi-Fi Hot Spots

Monty Solomon <>

Date: Tue, 18 Nov 2014 08:04:43 -0500

But beginning next year, city officials said on Monday, the relics will evolve into something deemed far more practical: thousands of Wi-Fi hot spots across the city, providing free Internet access, free domestic calls using cellphones or a built-in keypad, a charging station for mobile devices and access to city services and directions. ...

Privacy Concerns for ClassDojo and Other Tracking Apps for Schoolchildren

Monty Solomon <>

Date: Tue, 18 Nov 2014 08:15:55 -0500

Many teachers say the ClassDojo app helps them record classroom conduct, but critics are wary of such apps' ramifications for data privacy and fairness.

Re: 81% of Tor users can be de-anonymized by analyzing router ...

PGN <>

Date: Wed, 19 Nov 2014 15:47:48 PST

In the previous issue, Lauren Weinstein noted this Stack article. Martin Anderson, 81% of users can be de-anonymised by analysing router traffic, research indicates, {\it The Stack}.

Subsequently, Roger Dingledine's blog item and an attached comment by Sambuddho both qualify the 81% number as based on a small sample, with other comments well worth reading:

Other out-of-band comments suggest that the problem may well result from an external vulnerability rather than a flaw in Tor.

Re: The GCHQ boss's assault on privacy

Chris Drewe <>

Date: Wed, 19 Nov 2014 22:36:24 +0000

> ... Like pretty much everything else said by governments, and spy agencies > in particular, since Snowden pulled the behaviour of the US and UK > listeners into daylight, Hannigan's comments were intentionally > disingenuous. But also, like servants of various despotisms with whom he > would be lo[a]th to compare himself, Hannigan's frequent use of the word > *democracy* is accompanied by a stunning contempt for the rule of > law. [...]

IMHO, rather ironic that this should be happening within weeks of (a) celebrating 25 years since the fall of the Berlin Wall, and (b) Remembrance Day, when many nations annually commemorate the lives of those who fought in two world wars for our freedom. ...