Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 27.09
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 21 Nov 2012 21:36:10 PST

RISKS-LIST: Risks-Forum Digest  Weds 21 November 2012  Volume 27 : Issue 09

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Future of Federal Cybersecurity R&D Strategies Webcast (Jeremy Epstein)
Largest identity theft ever? (Mark Thorson)
Largest U.S. identity theft ever? (Mark Thorson)
Two items of potential interest on the 2012 election (Thom Hartmann/Sam Sacks)
ORCA, Mitt Romney's high-tech get-out-the-vote program, crashed on
  Election Day (Michael Kranish via Monty Solomon)
"Unleashed! Project Orca, the campaign killer whale" (Robert X. Cringely via
  Gene Wirchenko)
Security issues threaten to derail tablet voting (Rebecca Mercuri)
Estonia: WNYC's On the Media (E. John Sebes)
Scientists Find Cheaper Way to Ensure Internet Security (John Markoff)
Consequences of Facebook photo misidentification (Ken Olthoff via PGN)
Android flaw blocks December dates (Mark J Bennison)
Big Data and Europe's "Right to be Forgotten" (Lauren Weinstein)
Bloomberg news: Why Cell Phones Went Dead After Hurricane Sandy
  (Susan Crawford via Dave Farber)
Less privacy protection for IMAP users (Steven J Klein)
Privacy and surveillance (Steve Summit)
"Unlocking the brilliance in high tech" (Gene Wirchenko)
Re: Summary of my experiences on the election (Richard S. Russell)
2012 Layered Assurance Workshop (LAW) Final Program (Rance DeLong)
Abridged info on RISKS (comp.risks)


Date: Wed, 21 Nov 2012 21:49:59 -0500
From: Jeremy Epstein <jeremy.j.epstein () gmail com>
Subject: Future of Federal Cybersecurity R&D Strategies Webcast

  Future of Federal Cybersecurity R&D Strategies Webcast
  When: Tuesday, 27 Nov 2012
  Time: 1:00pm-3:00pm EST
  Webcast link: http://www.tvworldwide.com/events/nsf/121127/

Join a webcast of the Federal government's cybersecurity research and
development strategies.  Senior Federal representatives will review
Government activities in implementing the Federal cybersecurity R&D
strategic plan and discuss emerging areas in cybersecurity research that may
warrant further focus. The webcast session is part of the National Science
Foundation's Secure and Trustworthy Cyberspace Conference.  Additional
information about the conference is available at


Date: Tue, 20 Nov 2012 15:09:47 -0800
From: Mark Thorson <eee () sonic net>
Subject: Largest identity theft ever?

Man arrested for theft of "9 million files" said to comprise identity data
for roughly 2/3 of the Greek population.


I suppose this is the inevitable result of organizations that aggregate such
massive quantities of data combined with technology that allows it all to
fit on a tiny USB stick.  Sooner or later, all of the data anyone might care
about will fit on such a stick, including every private e-mail you've ever
sent via cloud-based services and every embarrassing private photo you've
ever uploaded to a personal profile.


Date: Wed, 21 Nov 2012 13:01:32 -0800
From: Mark Thorson <eee () sonic net>
Subject: Largest U.S. identity theft ever?

3.8 million tax returns stolen by phishing attack against
the state of South Carolina.



Date: Tue, 20 Nov 2012 15:37:18 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Two items of potential interest on the 2012 election

1. Anonymous, Karl Rove, and 2012 Election Fix?
Thom Hartmann and Sam Sacks, The Daily Take: Unless Anonymous presents
evidence to support its claims that Rove planned to steal the presidential
election for the GOP, its work will be relegated to the status of Internet
antics -- and the dustbins of history.

2. Why Anonymous' Claims about Election-Rigging Can't Be Ignored
Thom Hartmann and Sam Sacks, The Daily Take: Given historical trends, why is
it inconceivable to some that Karl Rove may have tried to electronically rig
the election of 2012 in three states?


Date: Sun, 11 Nov 2012 16:10:30 -0500
From: Monty Solomon <monty () roscom com>
Subject: ORCA, Mitt Romney's high-tech get-out-the-vote program, crashed
  on Election Day (Michael Kranish)

Michael Kranish, *The Boston Globe*, 2 Nov 2012

Mitt Romney's online voter-turnout operation suffered a meltdown on Election
Day, resulting in a crucial 90-minute "buckling" of the system in Boston and
the inability of some campaign workers across the country to use a vital
smartphone program, according to campaign officials and volunteers.

Code-named ORCA, the program was kept secret until just before the election
in order to prevent hacking of the system. It was then trumpeted by Romney's
aides as an unrivaled high-tech means of communicating with more than 30,000
field workers who were stationed at polling places on Election Day. Those
volunteers were supposed to track who voted and to alert Boston headquarters
if turnout was lower than expected at key precincts.

But at Boston's TD Garden, where 800 Romney workers were staffing phones and
computers in coordination with the field workers to oversee the turnout, the
surge in traffic was so great that the system didn't work for 90 minutes,
causing panic as staffers frantically tried to restore service. Some
campaign workers also reported that they had incorrect PINS and had not been
informed that they needed certification to work at polling places. ...



Date: Sun, 11 Nov 2012 18:39:59 -0800
From: Gene Wirchenko <genew () ocis net>
Subject: "Unleashed! Project Orca, the campaign killer whale" (Cringely)

Robert X. Cringely, *InfoWorld*, 09 Nov 2012
Unleashed! Project Orca, the campaign killer whale
Big data fails big time for the Romney camp as its smartphone app
crashes spectacularly, right on schedule for Election Day


Date: Tue, 06 Nov 2012 13:46:07 -0500
From: Rebecca Mercuri <notable () mindspring com>
Subject: Security issues threaten to derail tablet voting

  [My apologies to Rebecca Mercuri.  Seh sent me this item just *before* the
  election, and I requeued it to RISKS for the post-election issue -- but
  somehow it fell through the crack.  However, it is still very timely.  PGN]


This interview was done a while ago, but they apparently held the article
for publication immediately prior to the election. A few of my quotes
sounded even more pithy given the e-mail and fax voting options in NJ.

  [For example, see Andrew Appel's Freedom-to-Tinker item in RISKS-27.06.

Incidentally, *everyone* in NJ could have availed themselves of paper ballot
voting if they had registered as permanent absentees (no reason needed).
It's an easy form, and every year, like clockwork, your ballot shows up to
fill out and send back (or drop off at the County Board of Elections).  No
polls, no lines, no waiting.  And indeed, these are the only voter-verified
records available for hand-recounts in the Garden State.


Date: Mon, 12 Nov 2012 10:08:39 -0800
From: "E. John Sebes" <jsebes () osdv org>
Subject: WNYC's On the Media

3 reasons why Estonia's e-voting is irrelevant to the U.S.

1) Estonia has a national ID system that enables strong authentication of
   online citizen/gov't transactions. U.S. has no prospect of a national ID
   system, and no state has a state ID system that supports online

2) Estonia's elections are administered by the Federal government. U.S.
   elections are administered locally.

3) Even with much federal funding for a central I.T. system for i-voting,
   the result was a system with low software integrity and lax datacenter
   operations that were given a "gentleman's C-" by independent review by
   OSCE. In the less polite U.S., that grade would have been an "F".

Instead of saying "If it works in Estonia, why can't it work in the U.S?"
the question is "If it did not work in Estonia, why would you think it would
work for each of the thousands of U.S. local elections?"


Date: Wed, 21 Nov 2012 20:56:55 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Scientists Find Cheaper Way to Ensure Internet Security (John Markoff)

John Markoff, *The New York Times*, 20 Nov 2012,
Scientists at Toshiba and Cambridge University have perfected a technique
that offers a less expensive way to ensure the security of the high-speed
fiber optic cables that are the backbone of the modern Internet.

The research, which will be published Tuesday in the science journal
Physical Review X, describes a technique for making infinitesimally short
time measurements needed to capture pulses of quantum light hidden in
streams of billions of photons transmitted each second in data
networks.  Scientists used an advanced photodetector to extract weak photons
from the torrents of light pulses carried by fiber optic cables, making it
possible to safely distribute secret keys necessary to scramble data over
distances up to 56 miles.

Such data scrambling systems will most likely be used first for government
communications systems for national security.  But they will also be
valuable for protecting financial data and ultimately all information
transmitted over the Internet.

The approach is based on quantum physics, which offers the ability to
exchange information in a way that the act of eavesdropping on the
communication would be immediately apparent.  The achievement requires the
ability to reliably measure a remarkably small window of time to capture a
pulse of light, in this case lasting just 50 picoseconds -- the time it
takes light to travel 15 millimeters.  ...

  [I'm very fond of David Wagner's comment to the effect that quantum
  cryptography takes money that people don't have to solve a problem they
  don't have.  PGN]


Date: Thu, 15 Nov 2012 10:24:19 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Consequences of Facebook photo misidentification

  [Thanks to Kenneth Olthoff for spotting this one.  PGN]

If you thought that embarrassing photos from a party where you had one too
many were a problem on Facebook, here's one from the BBC about the face of
the "martyr" that was the wrong person's photo. It led to the woman whose
photo was mistakenly used having to flee her country.


Date: Mon, 19 Nov 2012 12:32:46 +0000
From: "Mark J Bennison (UK)" <mark.m.bennison () mbda-systems com>
Subject: Android flaw blocks December dates

The People app calendar goes from November 2012 to January 2013, and
completely omits December.  The People app is the default app for contact
info on Androids.

  [The Androgrinch stole Christmas?  PGN]


Date: Tue, 20 Nov 2012 21:58:35 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Big Data and Europe's "Right to be Forgotten"

Will Big Data sink Europe's nightmarish "Right to be Forgotten" concept?
Let's hope so!
  http://j.mp/SdluF1  (GigaOM via NNSquad)

  "A report by Europe's cybersecurity agency points out several flaws with
  the proposed 'right to be forgotten'. A big one has to do with the
  challenges presented by the increasing use of aggregated data."

Good. Very good. Excellent.  Just about anything that helps to kill
off the nightmarish Right to Be Forgotten concept is welcome.
Background reading on this issue: "The 'Right to Be Forgotten'.

A Threat We Dare Not Forget": http://bit.ly/yk8t7m  (Lauren's Blog)


Date: Fri, 16 Nov 2012 20:29:07 -0500
From: Dave Farber <dave () farber net>
Subject: Bloomberg news: Why Cell Phones Went Dead After Hurricane Sandy
 by Susan Crawford

After Hurricane Sandy, survivors needed, in addition to safety and power,
the ability to communicate. Yet in parts of New York City, mobile
communications services were knocked out for days.

The problem? The companies that provide them had successfully resisted
Federal Communications Commission calls to make emergency preparations,
leaving New Yorkers to rely on the carriers' voluntary efforts.


Susan Crawford is a monthly columnist for Bloomberg View. She is a visiting
professor at Harvard's Kennedy School of Government and at Harvard Law

  [This is a long item from Dave Farber's IP distribution, truncated for
  RISKS, but worth pursuing.  It generated extensive comments that are
  included at the above URL.  PGN]

Contacts: Susan P. Crawford at scrawford () scrawford net or @scrawford
<https://twitter.com/scrawford> on Twitter.


Date: Wed, 14 Nov 2012 17:55:59 -0500
From: Steven J Klein <steven () klein us>
Subject: Less privacy protection for IMAP users

In the US, e-mail privacy is protected by the Electronic Communications
Privacy Act. The law, passed in 1986, requires that law enforcement
officials obtain a warrant to intercept & read private e-mail.

But the law has a critical flaw: It treats e-mail left on third-party
servers for 180 days as =93abandoned.=94 All that=92s necessary for the
government to get copies of those older messages is for a prosecutor to
request them.

Now that IMAP and web-based mail is commonplace, many people use mail
servers for permanent storage of old messages. I doubt the average gmail
user considers his old messages as abandoned.

Apparently this loophole played a role in the recent investigation of CIA
director General Petraeus.

A coalition of e-mail service providers is seeking a revision of the law to
treat messages in the cloud the same as messages stored on a home computer.

The Obama administration opposes the change.


Date: Wed, 14 Nov 2012 02:26:21 -0800
From: scs () eskimo com (Steve Summit)
Subject: Privacy and surveillance

Good *NYT* article on the conflicting goals of investigating harassment or
security breaches, versus respecting people's privacy.

"The F.B.I. investigation that toppled the director of the C.I.A. [...]
underscores a danger that civil libertarians have long warned about: that in
policing the Web for crime, espionage and sabotage, government investigators
will unavoidably invade the private lives of Americans."  "What began as a
private, and far from momentous, conflict between two women [...] has had
incalculable public costs."



Date: Mon, 12 Nov 2012 09:27:23 -0800
From: Gene Wirchenko <genew () ocis net>
Subject: "Unlocking the brilliance in high tech"

Unlocking the brilliance in high tech
Author describes her journey in the male dominated engineering trade
11/10/2012 5:09:00 PM By: Christine Wong

This article is mainly about how one woman got going in engineering, but
then gets into a risk of not having more women in the field.  "Examples in
her book include the fact that voice recognition software and car air bags
weren't originally designed with female users in mind, an oversight that had
disastrous results in the former case and life threateningly dangerous
consequences in the latter."


Date: Sun, 11 Nov 2012 22:59:45 -0600
From: "Richard S. Russell" <richardsrussell () tds net>
Subject: Re: Summary of my experiences on the election (Re: Jones, R-27.08)

From: "Jones, Douglas W" <douglas-w-jones () uiowa edu>

In my opinion, Florida's legislature can make several changes to address
these problems...

There are 2 halves to this idea. The good half is for the long form to
contain all the legalese, the official language that actually accomplishes
something, with the short form containing the PR version that conveys a
layperson's interpretation of the measure.

The bad half is letting the proponents compose the PR version. This is
likely to lead to things like "Little pig-tailed girls love kitties and
rainbows and butterflies, and isn't that wonderful?", regardless of what the
measure actually accomplishes. Its proposers will naturally skew the
interpretation to be as favorable as possible toward the outcome they

Here in Wisconsin the short-form wording is composed by the non-partisan
Legislative Reference Bureau, and this seems to have been satisfactory,
although we haven't had such issues with nearly the frequency of other

On a related matter, I muse that sooner or later some jurisdiction will try
on-line voting, some 13-year-old computer whiz will hack the system to get
himself elected mayor or governor, and that'll be the end of that.

Richard S. Russell, a Bright (http://the-brights.net)
2642 Kendall Av. #2, Madison  WI  53705-3736
608+233-5640 =95 RichardSRussell () tds net


Date: Wed, 21 Nov 2012 10:17:37 -0800
From: Rance DeLong <rdelong () engr scu edu>
Subject: 2012 Layered Assurance Workshop (LAW) Final Program

The Sixth Layered Assurance Workshop (LAW) co-located with the 28th
Annual Computer Security Applications Conference (ACSAC 2012)
Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA
3-4 December 2012

The Layered Assurance Workshop is just twelve days away. The final LAW
program is available at the link above. See the program for the interesting
panels and papers.  Registration for LAW may be accomplished through the
ACSAC registration page at http://www.acsac.org.

We look forward to your participation.
Rance J. DeLong, Workshop Chair

  [Disclaimer: I'll be participating in both  LAW2012 and ACSAC.
  Both very worthy meetings.  PGN]


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 27.09

  By Date           By Thread  

Current thread:
  • Risks Digest 27.09 RISKS List Owner (Nov 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]