The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 70

Tuesday 21 April 2020

Contents

Zoom's security woes were no secret to its business partners
NYTimes
New Pressure on Voatz for false claims in Oregon
Politico
2B phones cannot use Google and Apple contact-tracing tech
Ars Technica
Microsoft says the pandemic argues for a federal privacy law
WashPost
Computer Fraud and Abuse Act
WashPost
What do SHARP IoT devices and facial masks produced by its factory have in common?
CNET Japan via Chiaki Ishikawa
Re: Australian Government proposes to distribute Coronavirus App
Michael Bacon
Re: Internet Usage update
Stewart Fist
Re: The world after coronavirus
3daygoaty
Info on RISKS (comp.risks)

Zoom's security woes were no secret to its business partners (NYTimes)

“Peter G. Neumann” <neumann@csl.sri.com>
Tue, 21 Apr 2020 10:43:32 PDT

Natasha Singer and Nicole Perlroth, The New York Times, front page of the business section, today, 21 April 2020

Interestingly, Dropbox sponsored a bug bounty program to find bugs in Zoom.

Very informative article.


New Pressure on Voatz for false claims in Oregon (Politico)

“Peter G. Neumann” <neumann@csl.sri.com>
Tue, 21 Apr 2020 10:44:52 PDT

Politico reports:

The controversial mobile voting firm Voatz may have violated Oregon consumer protection law by making false claims about the security of its Internet voting app, an activist group said in a letter (attached) to Oregon Attorney General Ellen Rosenblum. In urging Rosenblum to investigate the company's behavior, Free Speech For People cited damning audits by researchers at MIT and Trail of Bits as well as Voatz's “false, misleading or specious” pushback to those audits as evidence that it violated the Unlawful Trade Practices Act in Oregon, where two counties have pilot-tested its app. The letter also cited Voatz's misrepresentation of a still-secret DHS audit and its refusal to release an audit performed by ShiftState Security. Susan Greenhalgh, Free Speech for People's senior adviser on election security, and Ron Fein, its legal director, argued that “Voatz has been making false, misleading or deceptive claims to promote and sell its product.”

Voatz told MC it would “participate in any conversation with the AG's office to resolve all questions.” A spokesperson added, “We're believers that all technology should be considered, vetted, and tested carefully =97 including ours.” If Oregon opens an investigation, it would be merely the latest headache for the company. Already, the bad publicity from the excoriating security audits led West Virginia to cancel its partnership with Voatz for the state's May 12 primary. In 2018, West Virginia became the first state to let military and overseas voters use Voatz in a live election.

“Voatz has been marketing its product with emphatic claims regarding security, but those claims don't hold up in the light of the independent security reviews recently published,” Greenhalgh told MC. “It's time to investigate to determine if those faulty claims could constitute a violation of law.”


2B phones cannot use Google and Apple contact-tracing tech (Ars Technica)

Monty Solomon <monty@roscom.com>
Tue, 21 Apr 2020 01:42:36 -0400

System developed by Silicon Valley relies on technology missing from older handsets.

https://arstechnica.com/tech-policy/2020/04/2-billion-phones-cannot-use-google-and-apple-contract-tracing-tech/


Microsoft says the pandemic argues for a federal privacy law (WashPost)

“Peter G. Neumann” <neumann@csl.sri.com>
Tue, 21 Apr 2020 9:13:10 PDT

The Washington Post, 21 Apr 2020

Microsoft executives say the coronavirus pandemic underscores the need for a federal privacy law.

“In the U.S., the need for this conversation in the midst of a pandemic underscores the urgency for a strong federal privacy law,' write Julie Brill, chief privacy officer, and Peter Lee, corporate vice president for research and regulation.

“An updated legal framework placing obligations on businesses that collect and use personal data would help provide the necessary guardrails for companies to know how to protect and respect personal data as they create tools and technologies to address urgent societal needs.”

The Washington state tech giant is weighing in on a growing debate between privacy and public safety as it is providing AI to researchers, developing a self-checking tool and protecting hospitals from ransomware. The executives also released privacy principles to which they urge governments to adhere when using technology in their responses, including:


Computer Fraud and Abuse Act (WashPost)

Richard Stein <rmstein@ieee.org>
Tue, 21 Apr 2020 09:34:26 +0800

https://www.washingtonpost.com/politics/courts_law/supreme-court-montana-superfund-epa/2020/04/20/872f22e0-8309-11ea-ae26-989cfce1c7c7_story.html (see bottom of Courts & Law section in the URL)

“In the case the justices accepted, Van Buren was supposed to run searches only for official law enforcement reasons. Instead, he was paid by an individual working as part of a police sting operation to run a license plate belonging to an exotic dancer whom the man said he was interested in getting to know better.”

When police use a computer for an unofficial purpose, is it legal or not?


What do SHARP IoT devices and facial masks produced by its factory have in common? (CNET Japan)

“ISHIKAWA,chiaki” <ishikawa@yk.rim.or.jp>
Wed, 22 Apr 2020 00:20:54 +0900

SHARP, a Japanese electronics company, turned one of its LCD factories into a facial mask maker earlier this year. The scarcity of facial masks in the market prompted the company to produce masks in the clean air room of its former LCD factory. Finally, it has begun shipping facial masks earlier this month initially to medical facilities.

Of course, SHARP produces many other home electronic goods including the air conditioners, air purifiers, intelligent cooking devices, etc. In the recent IoT application framework, SHARP's IoT devices including the goods mentioned in the previous sentence can be controlled by smartphone app via SHARP's cloud.

News is that after SHARP's mask sales to the general public started via its website on 21 Apr, users of SHARP IoT devices have begun reporting that they could not control them via smartphone app any more. Local control using the infrared remote controller or physical switches works as usual.

Why?

It turns out that the SHARP IoT control app accesses an authentication server that happens to run on the SAME SERVER on which the web server that handles the sales of facial mask to the general public resides. The server could not keep up with the surge of workload due to the facial mask sales on 21 Apr.

The app seems to access the authentication server each time its command is invoked, adding to the workload surge. (The user enters userid/password, and it seems the pair is cached locally on the phone. So user does not have to retype it. However, each time a command is sent to a device, the authentication server seems to be accessed for authentication. Ouch.)

A careful planning of server peak usage and the migration of server function will be in order in the IoT age. (Not that it was unnecessary before, but a careful server deployment planning is much more in demand now that there are devices that can be controlled by smartphones via a server and some devices do not have interactive LCD numeric display or buttons at all by using network-based control via smartphone alone (!) ) Many of these IoT devices affect our daily living and, in the worst case, our lives even.

BTW, I am dumbfounded at SHARP's response as follows. It is as if there were no users of smartphone app to control these devices. SHARP's PR department was contacted by the following news article writer, and according it, SHARP plans to accepts orders for facial masks at 10:00 A.M. each day when the available amount of daily stock of masks delivered from the factory is entered until the stock runs out for the day. It will be repeated daily from April 21st to May 10th. Such is the high demand of facial masks in Japan. SHARP says it has no plan of changing this practice, but it would monitor the situation and may modify the sales practice.

I bet irate SHARP users and their blog posts will FORCE SHARP to do something by the end of this week, given that we have unusually cold April month this year. A savvy network company would have switched the web server front-end to a different host in no time quick and possibly moved the backend database server using replication to a different host very fast.

https://japan.cnet.com/article/35152681/ (in Japanese)


Re: Australian Government proposes to distribute Coronavirus App (RISKS-31.69)

A Michael W Bacon <amichaelwbacon@gmail.com>
Tue, 21 Apr 2020 11:34:13 +0100

´╗┐Of the proposed app, John Colville said it's use was:

> to help identify contacts of people who have been identified as having novel Coronavirus (COVID-19)

This contains an error that is being made far too often in reporting on “contact tracing” apps.

Unless the app is forcibly updated (and then locked) by a clinician, the user will not have been identified as being infected.

The apps currently being touted in the Western world rely on the user updating the app with their diagnosis. If they desire not to, there is no compulsion, and if there were, how would it be enforced? Conversely, if an uninfected user decides to flag themselves as infected, there is nothing to stop them; post facto there might be a legal sanction … but a defence would undoubtedly be: “I was running a temperature and decided to warn others.”

Consider in this latter instance a pupil who decides to "lockdown" their school and so marks themself as infected. Consider too the prankster who marks the app on a burner phone as ‘infected’ and ties it to a dog which is then allowed to run loose, or who hides the phone in a location visited/passed by many people (say a railway station, or a street in a business/commercial area - yes, even in these times). Hundreds to thousands of ‘contacts’ could/would be flagged in a short space of time through the exponential process.

Then, from the app's perspective a ‘contact’ is not necessarily an epidemiological contact, there might well be a physical barrier between the parties.

The effectiveness of such apps in Western society is questionable, and their use and abuse could cause more problems than the one they're trying to fix.

The proposals have the hallmarks of the classical false syllogism: “We must do something; this is something; so we must do it.”


Re: Internet Usage update (RISKS-31.69)

Stewart Fist <stewart_fist@optusnet.com.au>
Tue, 21 Apr 2020 09:44:52 +1000

Would the Information Technology Community promote the idea that we should all pay a low fee for sending each email.

I know every reader of RISKS will initially bristle at the idea. But, if we were charged, say, 1 cent per mail sent, then most individuals would pay only fractions of a dollar a day, and in a competitive world, this would be set off against annual fees

However those scam organisation which exist by flooding the world's mailboxes with unwanted, illegal and disgusting emails by the millions, would be quickly driven out of business.

The global email and Internet system is never going to reach its potential until there is an actual money penalty for abusing the technology.

Couldn't such a charge be introduced on a global scale at the borders?

I believe it could.


Re: The world after coronavirus (RISKS-31.69)

“3daygoaty .” <threedaygoaty@gmail.com>
Tue, 21 Apr 2020 10:53:55 +1000

The last time I looked, my state government attempted to have us all use a smart card to carry around and use to access the mass transport system. This ran years late and cost three times as much as they expected. I believe but I can't prove, that at least 10% of users travel for free every day.

You'd think security experts forced to wear the security anklets might turn their efforts to tricking the anklet (with a Gummy Bear, or something)? And so if my government forced 10 million bracelets (or apps or such) on us and how long will it take for someone to break or jam one and publish the instructions? A week?

It reminds me of the film Gorky Park where apparently all the phones were surveilled but this was defeated by turning the rotary dialer and sticking a pencil in it. This is what all the characters in the film did when they needed a private conversation. The (very large) cost of listening to tall those phones was subverted by a ten cent pencil.

Aren't these technical asymmetries also a risk for Kim Jong Un?

Please report problems with the web pages to the maintainer

Top