Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 31.97 RISKS-LIST: Risks-Forum Digest Tuesday 9 June 2020 Volume 31 : Issue 97 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.97> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Democracy Live Internet voting: unsurprisingly insecure, and surprisingly insecure (Specter and Halderman, with Andrew Appel's comments via PGN) More on Internet e-voting: Swiss Post purchases Scytl (SwissInfo) Report Details New Cyber Threats to Elections From Covid-19 (Maggie Miller) IBM ends all facial recognition business as CEO calls out bias and inequality (TechCrunch) Cox slows an entire neighborhood's Internet after one person's'excessive use' (Engadget) Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. (NYTimes) Big brands bring the fight to Big Tech (Politico) System Security Integration Through Hardware and Firmware (DARPA via Richard Stein)) 2018 War Game Scenario has Gen Z Revolting (Skullcap SaVant via goodfellow) A Million-Mile Battery From China Could Power Your Electric Car (Bloomberg) I wrote this law to protect free speech. Now Trump wants to revoke it. (Ron Wyden via CNN) Programming 'language': Brain scans reveal coding uses same regions as speech (Medical Express) Cisco's Warning: Critical Flaw in IOS Routers Allows 'Complete System Compromise' (Liam Tung) False Negative Tests for SARS-CoV-2 Infection -- Challenges and Implications (NEJM) Re: Just Stop the Superspreading (Atilla, Wol, Amos Shapir, Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 9 Jun 2020 10:29:39 PDT From: "Peter G. Neumann" <neumann@CSL.SRI.COM> Subject: Democracy Live Internet voting: unsurprisingly insecure, and surprisingly insecure (Specter and Halderman, with Andrew Appel's comments via PGN) A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan) <https://internetpolicy.mit.edu/wp-content/uploads/2020/06/OmniBallot.pdf> demonstrates that the OmniBallot Internet voting system from Democracy Live <https://democracylive.com/> is fatally insecure. That by itself is not surprising, as *no known technology* could make it secure. What is surprising is all the /unexpected/ insecurities that Democracy Live crammed into OmniBallot -- and the way that Democracy Live skims so much of the voter's private information. https://freedom-to-tinker.com/2020/06/08/democracy-live-internet-voting-unsurprisingly-insecure-and-surprisingly-insecure/ Andrew Appel <appel@princeton.edu> has posted an extremely relevant article in Freedom-to-Tinker: https://freedom-to-tinker.com/author/appel/ The OmniBallot Internet voting system from Democracy Live finds surprising new ways to be insecure, in addition to the usual (severe, fatal) insecurities common to all Internet voting systems. There's a very clear scientific consensus that ``the Internet should not be used for the return of marked ballots'' because ``no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.'' That's from the National Academies 2018 consensus study report <https://doi.org/10.17226/25120>, consistent with the May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA. <http://s3.amazonaws.com/ftt-uploads/wp-content/uploads/2020/06/07210015/Final_-Risk_Management_for_Electronic-Ballot_05082020-1.pdf> [Please read the entire paper and Andrew's commentary. They are very revealing, and devastating for those persons who believe that Internet voting can be made secure. Every known attempt seems to have been easily defeated: Washington DC 2010, Estonia 2014, Australia 2015, Scytl in Switzerland 2019, Voatz in West Virginia 2020, OmniBallot now. Insiders at any of four private companies (Democracy Live, Google, Amazon, Cloudflare), or any hackers who manage to hack into these companies, can steal votes: Democracy Live doesn't run its own servers. PGN-excerpted] ------------------------------ Date: Tue, 9 Jun 2020 10:11:57 PDT From: "Peter G. Neumann" <neumann@csl.sri.com> Subject: More on Internet e-voting: Swiss Post purchases Scytl (SwissInfo) Swiss Post set to relaunch its e-voting system | Sonia Fenazzi/SwissInfo <https://www.swissinfo.ch/eng/swiss-post-set-to-relaunch-its-e-voting-system/45820842> The controversial issue of e-voting is back: Swiss Post, which had halted the development of a project in July 2019, has bought a Spanish-owned system and plans to propose a platform ready for testing by 2021. Opposition to the plans of Swiss Post remains strong. The purchase was reported on May 17 by the SonntagsBlick newspaper, who wrote that the deal between Swiss Post and Spanish firm Scytl had been settled for an unspecified amount. The deal follows the bankruptcy of the Spanish company, with whom Swiss Post had been working on a system until flaws discovered last year sparked a political debate, which ended in the government dropping e-voting plans for the time being. Swiss Post spokesperson Oliver Fl=C3=BCeler confirmed to swissinfo.ch that last summer, despite the opposition, his company decided to continue developing a system on its own, and ``after several months of negotiations'' it secured the rights to the source code from Scytl. The aim is now to propose an e-vote system by 2021 that ``takes into account various federal particularities'' and ``responds even better to the high and specific requirements of a Swiss electronic voting system'', Fl=C3=BCeler said. He added that Swiss Post takes public concerns about security and the role of foreign suppliers very seriously, but insisted that it doesn't plan to go it completely alone. ``In future, Swiss Post will increasingly cooperate with Swiss universities of applied sciences, other higher education institutions and encryption experts,'' he said. And ``to guarantee maximum security at all times, Swiss Post ``will reissue the new improved source code so that independent national and international experts can verify any weaknesses''. Opposition E-voting was first introduced in Switzerland on a limited basis in 2003, as part of ongoing tests. However, political opposition and skepticism over the safety of such a voting channel has been a constant over the years, and again with this latest twist, not everyone is happy. Franz Gr=C3=BCter, a right-wing parliamentarian who also heads a people's initiative calling for a moratorium on e-voting projects in Switzerland, criticised the Swiss Post move and called for a parliamentary inquiry. ``There are good reasons to check whether Swiss Post -- a state-controlled company -- acted correctly and paid a fair price, because the whole thing seems to lack transparency,'' he said. The parliamentarian and IT entrepreneur added: ``It's hard to believe that Swiss Post has paid an undisclosed price for a system which we already know doesn't work properly. In other countries, too, Scytl systems have experienced major problems. Perhaps that's precisely why the company went bankrupt''. He said Swiss Post should have started from scratch and developed an entirely new system, ``which could have restored trust and therefore considerably reduced opposition to e-voting'' -- an opposition that is widespread in Swiss political circles. [PGN truncated for RISKS] ------------------------------ Date: Mon, 8 Jun 2020 12:04:29 -0400 (EDT) From: ACM TechNews <technews-editor@acm.org> Subject: Report Details New Cyber Threats to Elections From Covid-19 (Maggie Miller) Maggie Miller, *The Hill*, 5 Jun 2020 via ACM TechNews, Monday, June 8, 2020 A report compiled by New York University's Brennan Center for Justice outlines a wide range of cyber threats stemming from voting changes prompted by Covid-19. Such threats include attempts to target election officials working on unsecured networks at home, recovering from voter registration system outages, and securing online ballot request systems. Report co-author Lawrence Norden said election officials already dealing with cyber threats now face additional challenges due to the pandemic. Election-security upgrades come with funding challenges because of Covid-19 disruptions, and the Brennan Center calculates $4 billion must be appropriated to make needed changes. Said Norden, "There is no question that what Congress can do, and really has to do very soon, is provide more money to states and localities so they can invest in election security over the next few months." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25818x222c47x066802& ------------------------------ Date: Mon, 8 Jun 2020 18:54:33 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: IBM ends all facial recognition business as CEO calls out bias and inequality (TechCrunch) https://techcrunch.com/2020/06/08/ibm-ends-all-facial-recognition-work-as-ceo-calls-out-bias-and-inequality/ ------------------------------ Date: Tue, 9 Jun 2020 10:44:34 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: Cox slows an entire neighborhood's Internet after one person's 'excessive use' (Engadget) https://www.engadget.com/cox-slows-entire-neighborhoods-internet-after-one-persons-excessive-use-165844542.html ------------------------------ Date: Tue, 9 Jun 2020 09:53:48 -0400 From: Monty Solomon <monty@roscom.com> Subject: Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them. (NYTimes) Federal prosecutors in Manhattan are investigating a global hacker-for-hire operation that sent phishing emails to environmental groups, journalists and others. https://www.nytimes.com/2020/06/09/nyregion/exxon-mobil-hackers-greenpeace.html ------------------------------ Date: Tue, 9 Jun 2020 17:28:19 +0800 From: Richard Stein <rmstein@ieee.org> Subject: Big brands bring the fight to Big Tech (Politico) https://www.politico.eu/article/how-big-brands-chanel-canon-louis-vuitton-nike-are-taking-on-big-tech-silicon-valley-at-last/ The EU's Digital Services Act proposes platform rules to suppress and prevent counterfeit IP sales, such as fraudulent-branded women's accessories (handbags, shoes, etc.), that appear for sale on Amazon.com, Facebook, Alibaba. (https://www.digitaleurope.org/resources/towards-a-more-responsible-and-innovative-internet-digital-services-act-position-paper/) The platforms now practice voluntary fraud prevention efforts: "Amazon said the company invested 'over $500 million in 2019 and has more than 8,000 employees protecting [their] store from fraud and abuse.'" "Despite these efforts, "it's still like comparing Chernobyl with [the Three Mile Island nuclear accident in] Harrisburg,' Pennsylvania, Daniel