RISKS Forum mailing list archives
Risks Digest 34.36
From: RISKS List Owner <risko () csl sri com>
Date: Sun, 21 Jul 2024 15:52:44 PDT
RISKS-LIST: Risks-Forum Digest Sunday 21 Jul 2024 Volume 34 : Issue 36 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.36> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Amid madness, way backlogged.] CrowdStrike IT outage affected 8.5 million Windows (BBC via Matthew Kruk) A CrowdStrike update crashed the world's computers. What comes next? (WiReD) The MTA's Old Computer Technology Kept Going During Today's MS-related Outrage (Curbed via Henry Baker) Cyber Criminals Seek to Exploit Crowdstrike Outage (Gabe Goldberg) Re: Crowdstrike (Cliff Kilby) Boeing and Failures (BBC viz Jim Geissman) U.S. Gender Care Is Ignoring Science (Pamela Paul) AT&T says hacker stole call records of ‘nearly all’ wireless customers (WashPost) Data breach exposes millions of mSpy spyware customers (TechCrunch) Rite Aid says June data breach impacts 2.2 million people (Victor Miller) What comes around: SSH CVE-2024-6387 (Qualys via Cliff Kilby) Exim attachment flaw CVE-2024-39929 (Censys) New Intel CPU Vulnerability 'Indirector' Exposes Sensitive Data (geoff goodfellow) German Navy still uses 8-inch floppy disks, working on emulating a replacement (ArsTechnica) Zombie browser says "what"? (Betanews) You're holding your phone wrong? (WashPost) In Ukraine War, A.I. Begins Ushering In an Age of Killer Robots (The New York Times) Perfect Apple Supply Chain Bug -- Millions of Apps at Risk of CocoaPods RCE {Security Boulevard) When AI tells you to verify (Lauren Weinstein) In GA the Biggest Election Breach in History Has Gone Uninvestigated (Notus via Susan Greenhagh) OpenAI illegally barred staff from airing safety risks, whistleblowers say (WashPost) Drone photographer pleads guilty to Espionage Act charges (The Verge) Re: Voting in Switzerland (Rebecca Mercuri, Bertrand Meyer) Re: Russian Disinformation (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- From: Matthew Kruk <mkrukg () gmail com> Date: Sat, 20 Jul 2024 13:34:52 -0600 Subject: CrowdStrike IT outage affected 8.5 million Windows devices, Microsoft says (BBC) https://www.bbc.com/news/articles/cpe3zgznwjno Microsoft says it estimates that 8.5m computers around the world were disabled by the global IT outage. It's the first time that a number has been put on the incident, which is still causing problems around the world. The glitch came from a cybersecurity company called CrowdStrike which sent out a corrupted software update to its huge number of customers. [Almost all major airline computer systems were affected: Bruce Crumley, Inc. 19 Jul 2024 https://www.inc.com/bruce-crumley/airlines-bear-brunt-of-global-crowdstre.html -- although JetBlue evidently had zero problems because it does *not use* the MS/Crowdstrike connection. I had two flights to get home, and everything seemed to be running ahead of schedule! PGN] ------------------------------ Date: Fri, 19 Jul 2024 19:12:50 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: A CrowdStrike update crashed the world's computers. What comes next? (WiReD) Airports, banks, TV stations, health care organizations, hotels, and countless other businesses are still reeling from widespread IT outages, leaving flights grounded and causing untold disruption. The cause? A software update from cybersecurity firm CrowdStrike that crashed Windows machines across the globe. Only a handful of times in history has a single piece of code managed to instantly wreck computer systems worldwide. This time, the ongoing digital catastrophe appears to have been triggered not by malicious code released by hackers but by the software designed to stop them. Here’s how it happened, how it’s impacting the world, and where we go from here. https://link.wired.com/view/5be9ddd83f92a40469eae33cliaml.2ptl/8d27d912 ------------------------------ Date: Sat, 20 Jul 2024 00:35:34 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: The MTA's Old Computer Technology Kept Going During Today's MS-related Outrage (Curbed) FYI -- *diversity* in computer systems can provide more resilience... Putting all your eggs in one basket risks putting egg all over your face! https://www.curbed.com/article/mta-tech-outage-countdown-clocks-oldest-kept-going.html The MTA's Old Computer Technology Kept Going During Today's Outage Nolan Hicks, a longtime New York City politics and transit reporter * On the website formerly known as Twitter, users (okay, me) jokingly posted, "MTA this AM: Can't crash computers you don't have!" along with a picture of the Battlestar Galactica, the interplanetary aircraft carrier that survived a rebellion led by sentient robots because it was the one vessel that, lacking a computer network, couldn't be hacked. * Housing-policy expert Alex Armlovich joked that "the MTA's deeply fragmented IT systems are so mutually incompatible that at least only half the system crashes at one time." [DIVERSITY is ironic here: This reminds me of Microsoft's response to the Internet Worm in 1988: ``Our software was completely unaffected.'' Of course that was true, because the Worm targeted only Unix systems. Remarkable hyperbole. Hyperbolloxed? PGN] [It seems more like DieVarsity, because scuttlebutt suggests that a single unintentional button push caused the entire fiasco. There should have at least been some sort of advisory warning such as "Do you really want to let the wild rumpus roar worldwide? PGN] ------------------------------ Date: Fri, 19 Jul 2024 17:38:38 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Cyber Criminals Seek to Exploit CrowdStrike Outage Organizations, including government and Public Safety agencies, are reporting blue screen of death on systems with a CrowdStrike Update deployed last night. If you have CrowdStrike deployed in your environment, we suggest following the guidance provided by CrowdStrike: https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/ The VFC has received information that cybercriminals are exploiting this event and posing as Crowdstrike support. Exercise caution and only speak with legitimate Crowdstrike support personnel. The following are known, fraudulent pop up support partners claiming to be CrowdStrike support: /crowdstrikebluescreen.com /crowdstrike0day.com /crowdstrike-bsod.com /crowdstrikedoomsday.com /crowdstrikedoomsday.com /crowdstrikefix.com /crowdstrikedown.site /crowdstriketoken.com https://fusion.vsp.virginia.gov/vfcshield/all-sector-specific-bulletin-update-cyber-criminals-seek-to-exploit-crowdstrike-outage/ ------------------------------ Date: Fri, 19 Jul 2024 11:03:23 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Re: CrowdStrike I've used and rather like Crowdstrike. I specifically like that it has an auto-update policy available. https://medium.com/mii-cybersec/crowdstrike-falcon-series-deployment-to-maximum-protection-5ba791d33270 Any org I've worked with or any product I've worked with has to have the option for N-1 deployment, or I've had to create one. Version N goes on a few QA machines, and one or two employee machines (IT testers). N-1 goes on everything else. If there is an issue with N, we get a heads up. If there's a vulnerability with N-1, we'd have the option to bypass auto update using normal patching process. https://techcrunch.com/2024/07/19/banks-airlines-brokerage-houses-report-widespread-outages-across-the-globe/ If this outage was caused by a sensor update, I have questions about why anyone would be running software that hasn't had some local testing first. Just because there is an update, your environment is most likely unique, with machines running between OS and App patch levels. Are these companies also pulling in upsteam patches without any testing? https://www.theregister.com/2024/07/18/security_review_failure/ Oh. Oh dear. Have fun with that. APPENDED: It seems that the defect was in a content update, not a sensor update. There's no N rule for content deployment with CrowdStrike running auto updates: a defect found in a single content update of its software on Microsoft Windows operating systems, according to a post on X from CEO George Kurtz. My apologies for the miscommunication. ------------------------------ Date: Thu, 18 Jul 2024 11:25:59 -0700 From: "Jim Geissman" <jgeissman () socal rr com> Subject: Boeing and Failures https://www.bbc.com/future/article/20240718-how-ordinary-failure-could-have- a-seismic-effect-on-an-industrial-giant How ordinary failure could have a seismic effect on an industrial giant By John Downer is Associate Professor in Science and Technology Studies at the University of Bristol, and the author of "Rational Accidents." <https://mitpress.mit.edu/9780262546997/rational-accidents/> A shorter version of this story was previously published on MIT Press Reader. ------------------------------ Date: Sun, 14 Jul 2024 7:28:35 PDT From: Peter Neumann <neumann () csl sri com> Subject: U.S. Gender Care Is Ignoring Science (Pamela Paul) Pamela Paul, *The New York Times*, Sunday Opinion, 14 Jul 2024 Imagine a comprehensive review of research on a treatment for children found ``remarkably weak evidence'' that it was effective. Now imagine the medical establishment shrugged off the conclusions and continued providing the same and life-altering treatment to its young patients. This is where we are with gender medicine in the United States. ... But there is no basis to rush putting kinds on an irreversible path of medicalization. With children's health and well-being at stake, effective evidence-based and compassionate health care must be accepted. It's one thing to pursue medical path not knowing whether it's effective; it's quite another to persisst on that path with no solid evidence to support it. ------------------------------ Date: Fri, 12 Jul 2024 15:58:55 -0400 From: Monty Solomon <monty () roscom com> Subject: AT&T says hacker stole call records of ‘nearly all’ wireless customers (WashPost) The information could provide a roadmap for criminals who could impersonate a friend or relative to trick a victim, experts warned. https://www.washingtonpost.com/business/2024/07/12/att-wireless-hacker-data-breach/ Hackers stole almost everyone’s AT&T phone records. What should you do? Hackers stole phone records from almost all AT&T wireless customers. What should you do if that includes you? https://www.washingtonpost.com/technology/2024/07/12/att-data-breach-hack-calls-texts-what-do/ [Victor Miller spotted: AT&T says criminals stole phone records of 'nearly all' customers in new data breach | TechCrunch https://techcrunch.com/2024/07/12/att-phone-records-stolen-data-breach/ PGN] ------------------------------ Date: Sat, 13 Jul 2024 09:17:51 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Data breach exposes millions of mSpy spyware customers (TechCrunch) A huge batch of mSpy customer service emails dating back to 2014 were stolen in a May data breach. https://techcrunch.com/2024/07/11/mspy-spyware-millions-customers-data-breach/ ------------------------------ Date: Tue, 16 Jul 2024 16:06:55 +0000 From: Victor Miller <victorsmiller () gmail com> Subject: Rite Aid says June data breach impacts 2.2 million people These are getting to be so common it's hardly worth reporting. :-( https://www.bleepingcomputer.com/news/security/rite-aid-says-june-data-breach-impacts-22-million-people/ ------------------------------ Date: Mon, 1 Jul 2024 15:26:31 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: What comes around: SSH CVE-2024-6387 (Qualys) https://www.qualys.com/regresshion-cve-2024-6387/ As mentioned in the source, this is actually the reemergence of an older, previously resolved unauthenticated RCE, CVE-2006-5051. Versions released for a period of about 4 years are affected. If you can't patch, mitigation outlined sets LoginGraceTime to 0 in the config file. This may lead to denial of service conditions and patching is strongly advised. https://www.computing.co.uk/news/4329906/critical-vulnerability-openssh-uncovered-affects-linux-systems ------------------------------ Date: Fri, 12 Jul 2024 09:11:23 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Exim attachment flaw CVE-2024-39929 (Censys) https://censys.com/cve-2024-39929/ Due to a bug in header processing, Exim may ignore attachment rules preventing executable or other attachment extension blocks. Patch available in RC, but has not made GA yet. User education would be the only realistic mitigation for orgs running Exim until 4.98 goes GA. [NOTE: As of 4 Jun 2024, there were 240,830 CVEs in the MITRE repository. That is really scary, as the number just keeps growing. The previous occasion on which I recorded the comparable number was 121,241 CVEs on 20 August 2019, so the number of CVEs has essentially doubled in less than five years. To me that is a very scary factoid. PGN] ------------------------------ Date: Thu, 4 Jul 2024 07:22:29 -0700 From: geoff goodfellow <geoff () iconia com> Subject: New Intel CPU Vulnerability 'Indirector' Exposes Sensitive Data () Modern CPUs from Intel, including Raptor Lake and Alder Lake, have been found vulnerable to a new side-channel attack that could be exploited to leak sensitive information from the processors. The attack, codenamed Indirector by security researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen, leverages shortcomings identified in Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) to bypass existing defenses and compromise the security of the CPUs. "The Indirect Branch Predictor (IBP) is a hardware component in modern CPUs that predicts the target addresses of indirect branches," the researchers noted <https://indirector.cpusec.org/>. "Indirect branches are control flow instructions whose target address is computed at runtime, making them challenging to predict accurately. The IBP uses a combination of global history and branch address to predict the target address of indirect branches." The idea, at its core, is to identify vulnerabilities in IBP to launch <https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html> precise Branch Target Injection (BTI) attacks -- aka Spectre v2 (CVE-2017-57= 15 <https://nvd.nist.gov/vuln/detail/cve-2017-5715>) -- which target a processor's indirect branch predictor <https://nvd.nist.gov/vuln/detail/cve-2017-5715>) -- which target a processor's indirect branch predictor <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html> to result in unauthorized disclosure of information to an attacker with local user access via a side-channel. This is accomplished by means of a custom tool called iBranch Locator that's used to locate any indirect branch, followed by carrying out precision targeted IBP and BTP injections to perform speculative execution. Yavarzadeh, one of the lead authors of the paper, told The Hacker News that "while Pathfinder <https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html> targeted the Conditional Branch Predictor, which predicts whether a branch will be taken or not, this research attacks target predictors," adding "Indirector attacks are much more severe in terms of their potential scenarios." Indirector reverse engineers IBP and BTB, Yavarzadeh said, which are responsible for predicting the target addresses of branch instructions in modern CPUs, with an aim to create extremely high-resolution branch target injection attacks that can hijack the control flow of a victim program, causing it to jump to arbitrary locations and leak secrets. Intel, which was made aware of the findings in February 2024, has since informed other affected hardware/software vendors about the issue. [...] https://thehackernews.com/2024/07/new-intel-cpu-vulnerability-indirector.html ------------------------------ Date: Fri, 12 Jul 2024 16:04:53 -0400 From: Monty Solomon <monty () roscom com> Subject: German Navy still uses 8-inch floppy disks, working on emulating a replacement (ArsTechnica) https://arstechnica.com/gadgets/2024/07/german-navy-still-uses-8-inch-floppy-disks-working-on-emulating-a-replacement/ REMINDER: San Francisco’s Train System Still Uses Floppy Disks -- (RISKS-34.19) ------------------------------ Date: Sun, 14 Jul 2024 10:04:05 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Zombie browser says "what"? (Betanews) Microsoft quit providing user access to Internet Explorer but the OS still has it. https://betanews.com/2024/07/10/resurrecting-internet-explorer-the-nasty-threat-impacting-potentially-millions-of-windows-10-and-11-users/ There are things you can do to prevent this. Disable mhtml protocol https://learn.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-037 MSHTA isn't IE. It's IE with no sandbox and OS level WSH/JScript access. It's probably the most dangerous path to IE available on Windows. You can prevent auto launch though. Replace the mshta handler with something safer, like notepad. Or, cut it's network access using firewall rules. An example of this (and a bunch of other hardening rules) is available from https://github.com/atlantsecurity/windows-hardening-scripts I have personally had good luck with the Atlant scripts, but I would be remiss if I didn't include: Do not run files if you do not know what they are doing. Some of the hardening steps listed will disable insecure features of Windows that are still in common use in large orgs. Manually editing the registry can brick your box. ------------------------------ Date: Fri, 12 Jul 2024 23:44:11 -0400 From: Monty Solomon <monty () roscom com> Subject: You're holding your phone wrong? (WashPost) Since you're unlikely to use your smartphone less, try these adjustments to minimize hand and eye issues. https://www.washingtonpost.com/technology/2024/07/11/holding-smartphone-wrong/ ------------------------------ Date: Wed, 3 Jul 2024 14:24:14 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: In Ukraine War, A.I. Begins Ushering In an Age of Killer Robots (The New York Times) In a field on the outskirts of Kyiv, the founders of Vyriy, a Ukrainian drone company, were recently at work on a weapon of the future. To demonstrate it, Oleksii Babenko, 25, Vyriy’s chief executive, hopped on his motorcycle and rode down a dirt path. Behind him, a drone followed, as a colleague tracked the movements from a briefcase-size computer. Until recently, a human would have piloted the quadcopter. No longer. Instead, after the drone locked onto its target — Mr. Babenko — it flew itself, guided by software that used the machine’s camera to track him. The motorcycle’s growling engine was no match for the silent drone as it stalked Mr. Babenko. “Push, push more. Pedal to the metal, man,” his colleagues called out over a walkie-talkie as the drone swooped toward him. “You’re screwed, screwed!” If the drone had been armed with explosives, and if his colleagues hadn’t disengaged the autonomous tracking, Mr. Babenko would have been a goner. https://www.nytimes.com/2024/07/02/technology/ukraine-war-ai-weapons.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb ------------------------------ Date: Sun, 7 Jul 2024 18:54:32 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Perfect Apple Supply Chain Bug -- Millions of Apps at Risk of CocoaPods RCE {Security Boulevard) 10-year-old vulnerabilities in widely used dev tool include a CVSS 10.0 remote code execution bug. CocoaPods, a dependency manager used by millions of Apple iOS and macOS apps, suffered secret critical flaws since 2014. If they’d been exploited by hackers, the consequences could have been disastrous. And maybe they were exploited. In today’s SB Blogwatch, it’s hard to be sure. [...] Is the lesson that you should audit your dependencies? No way, thinks Martin Blank: How do you reasonably do that? … The dependency stacks are so tall these days that trying to audit the dozen libraries you call on (for a small project) means auditing the dozens they rely on—and the hundreds that layer relies on. If you have a project with thousands of dependencies, it becomes impossible to vet them all, and it is impossible to recreate the functionality in anything resembling an economically viable fashion without a high risk of introducing your own vulnerabilities. https://securityboulevard.com/2024/07/cocoapods-apple-vulns-richixbw/ ------------------------------ Date: Fri, 5 Jul 2024 16:51:05 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: When AI tells you to verify If an AI system's disclaimers tell you to verify through other sources whether or not the AI system is giving you accurate answers to your questions, then that AI system is, in essence, worthless as a question-answering tool. -L ------------------------------ Date: Thu, 18 Jul 2024 12:55:14 -0400 From: Susan Greenhalgh <segreenhalgh () gmail com> Subject: In GA the Biggest Election Breach in History Has Gone Uninvestigated (Notus) Here is an excellent summary of the failure to investigate the insider voting system breaches in Georgia by Trump campaign operatives in 2021. This breach was coordinated with and/or connected to other state breaches, spanning state lines yet there is still no evidence of any federal investigation. In Georgia, the Biggest Election Breach in History Has Gone Uninvestigated In 2020, a group of technicians accessed government election servers and voting machines. The small town where it happened is still asking for answers. Jose Pagliery <https://www.notus.org/jose-pagliery> July 18, 2024 05:30 AM | Updated: July 18, 2024 05:29 AM ------------------------------ Date: Sun, 14 Jul 2024 09:45:08 -0700 From: geoff goodfellow <geoff () iconia com> Subject: OpenAI illegally barred staff from airing safety risks, whistleblowers say (WashPost) OpenAI whistleblowers have filed a complaint with the Securities and Exchange Commission alleging the artificial intelligence company illegally prohibited its employees from warning <https://www.washingtonpost.com/technology/2024/06/04/openai-employees-ai-whistleblowers/> regulators about the grave risks its technology may pose to humanity, calling for an investigation. The whistleblowers said OpenAI issued its employees overly restrictive employment, severance and nondisclosure agreements that could have led to penalties against workers who raised concerns about OpenAI to federal regulators, according to a seven-page letter <https://www.washingtonpost.com/documents/83df0e55-546c-498a-9efc-06fac591904e.pdf> sent to the SEC commissioner earlier this month that referred to the formal complaint. The letter was obtained exclusively by The Washington Post. OpenAI made staff sign employee agreements that required them to waive their federal rights to whistleblower compensation, the letter said. These agreements also required OpenAI staff to get prior consent from the company if they wished to disclose information to federal authorities. OpenAI did not create exemptions in its employee nondisparagement clauses for disclosing securities violations to the SEC. These overly broad agreements violated long-standing federal laws and regulations meant to protect whistleblowers who wish to reveal damning information about their company anonymously and without fear of retaliation, the letter said. [...] https://www.msn.com/en-us/news/other/ar-BB1pVgU8 ------------------------------ Date: Fri, 12 Jul 2024 16:14:09 -0400 From: Monty Solomon <monty () roscom com> Subject: Drone photographer pleads guilty to Espionage Act charges (The Verge) https://www.theverge.com/2024/7/12/24197356/chinese-national-graduate-student-espionage-act-drone-navy-shipyard-plea-guilty ------------------------------ Date: Sat, 13 Jul 2024 23:42:15 +0200 From: Bertrand Meyer <Bertrand.Meyer () inf ethz ch> Suject: Re: Electronic voting (RISKS-34.35) The previous post was evidently mistitled by PGN. It should have been something like Electronic voting from Switzerland to another country ------------------------------ Date: Sun, 14 Jul 2024 14:12:13 -0400 From: Rebecca Mercuri <notable () mindspring com> Subject: Re: Voting in Switzerland The assessments of electronic voting risks by the many authors in Peter Neumann's newsletters are far from the "doomsday assessments" that you have characterized as such. I encourage you to break the hypnotic spell that you seem to have fallen into with respect to your recent experience with electronic voting in the French legislative election, and consider the questions below. Why do you believe that the crypto certificate accurately recorded your vote selections? Why do you believe that the tally of the votes that were cast electronically by each of the voters is a correct summation? Why do you think that the crypto certificate assures correctness of the vote totals? Why do you feel that having 44% of the voters lulled into using this system is, in any way, a testimonial "to the broad success of the scheme"? Indeed, a scheme is all that it is -- it is not a proof. Crypto voting is a charade that requires voters to have blind faith in the correctness and non-corruptability of mathematical formulae and software that they have not personally seen nor do they understand. What is the crypto certificate other than just a string of symbols? Only if each voter is able to validate for themself that their individual ballot has been recorded correctly, AND only if there is a TRANSPARENT way by which all voters can be assured THAT THEIR BALLOT CHOICES ARE CORRECTLY AGGREGATED INTO THE VOTE TOTALS can the election results be trusted. Unfortunately, for such transparency to occur with cryptographic voting, there is a price -- everyone must be willing to cast their ballot PUBLICLY, so that they cannot later claim that the totals generated by the calculations are incorrect. If you'd like to give up privacy, then crypto voting is fine. But since there are a great number of reasons why citizens want to cast private ballots, public ballot casting is not an appropriate method for government elections. As it turns out, the assurance of the correctness of vote totals (from encrypted or non-encrypted ballots) is an NP-Complete problem that takes longer to complete than the time needed to certify the election tallies (i.e. the time when the vote totals need to be announced). So the PROVABILITY of correctness of vote totals from non-public casting of encrypted ballots in large elections is infeasible. You should be asking these questions: 1) Is speed an appropriate trade-off for transparent assurance of correctness of ballot contents and vote tallies? 2) Could votes be erroneously encrypted in such way that the election results can be shifted? 3) Do you actually understand all of the maths pertaining to how the crypto voting method works? 4) Do you trust the government (or those they paid to create the voting system) to have properly implemented this scheme? 5) Do you believe that this is a transparent and independently auditable voting method? ------------------------------ Date: Mon, 15 Jul 2024 10:47:49 +0200 From: Bertrand Meyer <Bertrand.Meyer () inf ethz ch> Subject: Re: Voting in Switzerland I almost stopped at "hypnotic spell" as I think there are enough places for gratuitous name-calling but RISKS is not one of them. All the more that, for my part, I have followed some of Dr. Mercuri's pioneering work and respect the major contributions it has made to our understanding of the field. To answer Dr. Mercuri's questions: "1) Is speed an appropriate trade-off for transparent assurance of correctness of ballot contents and vote tallies?" I do not see any tradeoff here as there is no evidence that correctness is being sacrificed. Facts please. 2) "Could votes be erroneously encrypted in such way that the election results can be shifted?" I assume they could. Also, when I order a box of paper clips on Amazon, my credentials could be given to the Sicilian Mafia. 3) "Do you actually understand all of the maths pertaining to how the crypto voting method works?" No. I also do not understand much about fluid mechanics and combustion engineering, but I travel on planes and drive cars. On the side, when someone makes a comment about a field that I *do* understand in depth, I refrain from using "do you understand the math?" (meaning: I do and you don't) as my killer argument to prove them wrong. (What about, instead, perhaps, explaining?) Beyond arguments of sheer expert authority, the last two questions are the most important. "4) Do you trust the government (or those they paid to create the voting system) to have properly implemented this scheme?". Yes, absolutely. France is a democracy with lots of checks and balances and counter-powers. The press is very nasty with the government and prompt to catch any appearance of wrongdoing. In practice, many in the academic community (the kind of people who do "understand the math") are viscerally opposed to the government. In social and psychological terms, a conspiracy to skew the results algorithmically, one way or the other, is unfathomable. And finally: "5) Do you believe that this is a transparent and independently auditable voting method?" Of course I do, otherwise I would not be voting electronically. My understanding is that the scheme (the appropriate word, in its technical sense) was devised with advice from people at INRIA, who is one of the best computer science research centers in the world, with internationally respected cryptographers. For some of their candid analysis see https://www.inria.fr/fr/vote-electronique-securite-numerique-confidentialite. It's as open and honest as you would expect from a scientific organization.INRIA was also involved in the app that steered France through Covid, and (whether or not we liked the idea) worked like a charm, with a particular attention to preserving users' privacy. Let me actually turn Dr. Mercuri's do-you-know questions back: do you know of any computer scientist who is an expert in the field, has studied the French setup, and uncovered actual risks? We are not talking about a crazy out-of-the-blue experiment. People have been discussing electronic voting, its risks and how to present them for a quarter century now, and we have the benefit of analyses by such experts as Dr. Mercuri, who have considerably advanced our understanding of the field. Now is not the time, with the current political mess in France, for anyone on this side of the pond to start lecturing the other. But it is important to note that unlike in the US -- where every election triggers numerous stories of alleged fraud, and endless recounts -- vote counting in France is not a controversial topic. (Well, outside of Corsica.) The process is manual and trusted. Although I cannot find it in the archive I sent a post to RISKS some 24 years ago, at the time of the Gore-Bush Florida debacle, about assisting a vote counting effort in Paris (any registered voter can participate), all in a jovial atmosphere even between representatives of rival parties. Everyone can check what is going on and the result is incontrovertible. No doubt it helps that elections there are usually about choosing *one* person, proposal or group, as opposed to the multiple decisions required of US voters. But still there is a general feeling of trust -- particularly remarkable between people who are by nature adversaries. My recent post was not proselytizing, it was just an experience report. Can electronic voting be trusted? I believe this question should be evaluated against the alternatives. Is examining hundreds of the now famous Floridian "hanging chads" better? Is handing over the decision to the Supreme Court (made, as the joke went of the time, of people appointed by a president and now tasked with appointing his son) better? Is the persistent belief of tens of millions of US voters that the 2020 elections were "rigged" better? Is the $787 million to be paid by Fox News to Dominion (for fueling that belief) better? I don't think so. One alternative, when it is possible, may make e-voting unnecessary: required in-person voting with paper ballots. But often the actually available alternatives are dubious. After all, a Dominion Systems voting machine *is* electronic voting, subject (for conspiracy theorists) to all the corresponding distortions, but without the openness and public scrutiny of the French scheme. Mail-in voting is widespread in the US and although it has been shown -- in lawsuits -- to be quite safe, it is not hard to come up with theoretical risks. The French mechanism for expat-voting was devised for a good reason: many of the affected voters leave far away from any potential voting place; imagine you are a doctor in a small town in the developing world. In some countries, it is actually illegal to organize a voting event for an election in another country. No solution is perfect, but e-voting seems to be an excellent solution for such cases. Whether its application should be broadened is up for discussion, but as good scientists and technologists we should evaluate the pros and cons of every option calmly and objectively. I could elaborate but, sorry, I need to get back to my hypnosis session. ------------------------------ Date: Fri, 12 Jul 2024 10:19:36 PDT From: Peter Neumann <neumann () csl sri com> Subject: Re: Russian Disinformation (RISKS-34.35) Re: Canada warns of AI-driven Russian 'bot farm' spreading disinformation online (CBC) There is an extensive article The NYTimes, originally online three days prioe, and in the print edition yesterday: U.S. and Allies take aim at Russian Disinformation Steven Lee Myers and Julian E. Barnes *The New York Times* National print edition, 11 Jul 2024 A campaign designed to stoke internal political divisions Spreading dubious content has become easier with AI. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.36 ************************
Current thread:
- Risks Digest 34.36 RISKS List Owner (Jul 21)