Category: National

Data Breach Today – Infinite Future Harm!

From the Intercept, an explanation of the harm of data retention and theft: Data Theft Today Poses Indefinite Threat of “Future Harm”

We hear continuous claims that “I have nothing to hide, so who cares if they have my data”. Lets look at what might actually happen. The possibilities are endless.

From the Intercept, an explanation of the harm of data retention and theft: Data Theft Today Poses Indefinite Threat of “Future Harm”  <read>

We hear continuous claims that “I have nothing to hide, so who cares if they have my data”. Lets look at what might actually happen:

Benjamin Nuss was one of the nearly 80 million people whose social security number and personal information were compromised in this year’s Anthem data breach. He seems to have taken things in stride, continuing his daily routine of sharing computer time with his brother, eating healthy snacks and making crafts. Benjamin is four years old.

While it may seem trivial to think about the harm a preschooler will suffer from a data breach, the question is not what happens to him now, but what will happen years from now. Data theft poses an indefinite threat of future harm, as birthdate, full name and social security number remain a skeleton key of identity in many systems…

If the hackers pursue next steps in cyberespionage, they are likely to use the records they’ve acquired, cross-hatched with information from credit databases and even social media, to see who is vulnerable to blackmail or bribery for financial or personal reasons…

A first-person article by William Gerrity published two years ago by Slate and the website Zócalo Public Square gives a vivid picture of what may lie ahead for those targeted. In 2007, Gerrity was checking his email after a long day working as a real estate developer in Shanghai. “The message greeted me by a nickname known only to family and close friends,” he wrote, “and it contained a proposal: I could pay 1 million renminbi (about $150,000 at the time), in exchange for which the sender would not forward the attachments to my business partners or competitors.”

In this case, the hackers had obtained confidential business documents, as well as personal correspondence about the death of his mother. The FBI advised him to refuse the request, which he did. But imagine that the request was not for payment in cash, but in federal information. And imagine the trade was not in business documents, but evidence of misconduct or criminal behavior on or off the job. That’s bait, if acquired and used, that could be harder for some to refuse…

In fact, federal officials later acknowledged that the OPM breach included what’s called a Standard Form-86, on which new hires (including military and intelligence officials) must reveal details that could make them vulnerable to blackmail or influence, including prior drug use, financial woes, and criminal convictions. The form also asks for ties to citizens of other countries; thus the hackers, if they are Chinese, would quickly be able to determine who has friends and family in their country…

The possibilities are endless, or infinite as the article says. Lets just say:

  • A teen commits a crime due to negligence, error, or immature intention. It hurts another person, it would be embarrassing and could have a huge criminal penalty.
  • An adult commits a sexual, consenting indiscretion.
  • Even unknown to a person, they make an material error in a business transaction. For instance a mortgage application, or real estate listing that causes another person or organization significant harm.
  • Such could be used to intimidate that individual at any time.  Especially if they become a prominent public or private decision maker. Especially a law maker, chief executive, department head, Cabinet Member, Judge, regulator or President. Or even a person attaining a lower level critical position, with security clearances or control over government contracts.
  • Actually, the individual could be,unknowingly, groomed for that position by others who have that information, ready to use at the appropriate time.
  • Perhaps the individual was setup to commit the crime or indiscretion.  Perhaps it never actually happened, yet there is enough of a long buried false record, created for this specific purpose.

Read the article for more details on the risks and the legal issues surrounding this.  Be very careful before you ever sign on to accepting a settlement in a class action suit for a data breech.

 

Net of Insecurity — risks not anticipated by Founders

The Washington Post has a new set of articles, interviewing some of the founders of the Internet on how the it came to be built with insufficient security:

“I believe that we don’t know how to solve these problems today, so the idea that we could have solved them 30, 40 years ago is silly,”…

“They thought they were building a classroom, and it turned into a bank.”

The Washington Post has a new set of articles, interviewing some of the founders of the Internet on how the it came to be built with insufficient security: Net of Insecurity <read>

“I believe that we don’t know how to solve these problems today, so the idea that we could have solved them 30, 40 years ago is silly,” said David H. Crocker, who started working on computer networking in the early 1970s and helped develop modern e-mail systems…

“People don’t break into banks because they’re not secure. They break into banks because that’s where the money is,” said Abbate, author of “Inventing the Internet,” on the network and its creators.

She added, “They thought they were building a classroom, and it turned into a bank.”

ddfss

 

9 things about voting machines

The National Council of State Legislatures has a released a report on voting machines: Elections Technology: Nine Things Legislators May Want to Know

It makes a strong case for the importance of technology in elections, planning, and understanding the details. We especially an additional borrowed list within the report: Ten Things to Know About Selecting a Voting System

The National Council of State Legislatures has a released a report on voting machines: Elections Technology: Nine Things Legislators May Want to Know  <read>

It makes a strong case for the importance of technology in elections, planning, and understanding the details.

“What makes you lose sleep?” That’s what NCSL staff asked members of the National Association of State Election Directors back in September 2012. The answer wasn’t voter ID, or early voting, or turnout, as we expected. Instead, it was this: “Our equipment is aging, and we aren’t sure we’ll have workable equipment for our citizens to vote on beyond 2016.”

That was NCSL’s wake-up call to get busy and learn how elections and technology work together. We’ve spent much of the last two years focusing on that through the Elections Technology Project, funded by the MacArthur Foundation. One thing we learned is that virtually all election policy choices have a technology component. Just two examples: vote centers and all-mail elections. While both can be debated based on such values as their effect on voters, election officials and budgets, neither can be decided without considering technology. Vote centers rely on e-poll books, and all-mail elections depend on optical scan equipment to handle volumes of paper ballots.

It  points to the importance of security in voting systems, the risks of Internet voting and pointing out the ‘pressure’ to do Internet voting.  We especially an additional borrowed list within the report:

Ten Things to Know About Selecting a Voting System

While NCSL was finalizing its list of “things to know,” Merle King, executive director of the Center for Election Systems at Kennesaw State University in Georgia was working on another brand-new list with a similar goal. His list focuses on what to look for when choosing a voting system. Interestingly, there are no points of disagreement between our list and his and no overlap.

1. A voting system is the core technology that drives and integrates the system—and it is the part the voter touches.

2. Know who does what and why. Without clearly defined roles and responsibilities, problems will occur.

3. The true cost of ownership is the cost to purchase, operate and maintain a voting system over its life span. It is more than you think.

4. The request for proposal (RFP) is your first, last and best chance to get the system requirements right. Systems are never better than the RFPs used to define the requirements.

5. Changing a voting system is like changing tires on the bus … without stopping. A transition plan may allow the seamless migration from the old system to the new system, with minimum disruption.

6. Training and education may cost more than the purchase price of the system when you factor in voter education, poll workers, election officials, etc.

7. How long will new systems last? What shortens their lives? What needs to be done before purchase to ensure long life?

8. All modern voting systems are “multimodal,” meaning they will have to function for vote-by-mail ballots, in-person voting, online ballot return, etc. That means flexibility in the architecture is required to avoid retrofitting later.

9. Either you manage vendors or they manage you. Pick.

10. Know the “known unknowns,” such as security, accessibility, auditability, usability, voter convenience, transparency of process and testing and certification requirements.

Concerned with two partisan registrars? Be careful what you ask for.

How to manage and judge our elections without partisan bias is tough. Occasionally Secretary’s of State act in blatantly partisan ways. Cases in recent history include Catherine Harris in Florida and Ken Blackwell in Ohio.

Here in Connecticut the Secretary of the State proposed turning elections over to a single unelected official in each town, rather than the current two elected registrars of opposing parties.

Meanwhile in Kansas a bill would give the Secretary of State the power to prosecute election fraud.

How to manage and judge our elections without partisan bias is tough. Occasionally Secretary’s of State act in blatantly partisan ways. Cases in recent history include Catherine Harris in Florida and Ken Blackwell in Ohio.

Here in Connecticut the Secretary of the State proposed turning elections over to a single unelected official in each town, rather than the current two elected registrars of opposing parties. Later that bill was changed dramatically – watered down, yet still increasing the Secretary’s powers in several ways, including temporarily suspending registrars.  We are skeptical of a single unelected official in each of our 169 towns would actually be non-partisan.  We would rather see regionalization with professional administration because it would be more professional, and less likely to be partisan. We are also skeptical of a single elected official being able to suspend other elected officials.

Bi-partisan management/judgement does not always work.  It seems to work better in Connecticut towns than it does Nationally. Take the Federal Elections Commission – please! A recent article in the Hill:   Partisanship stalemates FEC, says report <read>

Meanwhile in Kansas a bill would give the Secretary of State the power to prosecute election fraud.  How one feels about that bill may depend on one’s political opinion of the sitting Secretary and one’s opinion of election fraud.  Similarly one may lean for or against the Connecticut Secretary being able to remove registrars based on the current Secretary.

We suggest caution in Connecticut and in Kansas.

The limits of Democracy w/o Information

Last week Secretary of the State, Denise Merrill, addressed the League of Women Voters of Northeastern Connecticut on a variety of topics. One of the items discussed was the lack of education in civics and its possible link to the lack of participation by younger voters. The two are certainly related, yet we also live in an age when the at least over the last two administrations, the Constitution has been ignored in the name of security – just when those voters have come of age.

Also I recently read “They Know Everything About You”, which I highly recommend. This week the author, Robert Scheer, was interviewed in a seven part series at the Real News. Part three is particularly relevant to the subject of Democracy and information available to the voters. <video>

Last week Secretary of the State, Denise Merrill, addressed the League of Women Voters of Northeastern Connecticut on a variety of topics.  One of the items discussed was the lack of education in civics and its possible link to the lack of participation by younger voters.  The two are certainly related, yet we also live in an age when the at least over the last two administrations, the Constitution has been ignored in the name of security – just when those voters have come of age.

Also I recently read “They Know Everything About You”, which I highly recommend.  This week the author, Robert Scheer, was interviewed in a seven part series at the Real News.  Part three is particularly relevant to the subject of Democracy and information available to the voters. <video>

Non-Science: “What you know for sure that just ain’t so.”

“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” – Mark Twain

Non-Science Nonsense is bad enough. But even worse is what we all thing is true that is not.  Five examples from just the FBI and our common understanding, as articulated in The Intercept: Five Disturbing Things You Didn’t Know About Forensic “Science”

When it comes to voting, the public, election officials, and legislators believe many false facts,

“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” – Mark Twain

Non-Science Nonsense is bad enough. But even worse is what we all thing is true that is not.  Five examples from just the FBI and our common understanding, as articulated in The Intercept: Five Disturbing Things You Didn’t Know About Forensic “Science” <read>

When it comes to voting, the public, election officials, and legislators believe many false facts, including:

  • Secure/safe Internet voting – no such thing yet proven, and unlikely at least for years
  • Military Level Encrypton
    • There is no such official definition
    • The military has been unable to protect its networks and secrets
    • Encryption is not a panacia
  • Email/fax voting is not Internet voting
    • Email uses the Internet
    • Email is hacked all the time, and is available to the NSA, Google, ATT etc.
    • Fax uses the equivalent or the actual Internet
  • Internet banking is safe – banks lose billions each year to Internet fraud
  • Voting is the same as banking – Voting is harder to secure that banking
  • Connecticut’s Post-Election Audits have proven our scanners are always accurate
    • The audits have been conducted in a manner that would not recognize errors
    • Our scanner results have been inaccurate, audits have discovered errors
    • Fraud has been shown to be possible with our scanners at any time
  • Time to stop auditing since the scanners have been proven accurate
    • Audits of Taxes, Business, and Government will always be necessary

We can be sure there are many more that we all believe, or most of us believe.

UK Considers risky online voting…Safe enough for democracy?

Guardian article, apparently titled by an editor who trusts MPs opinions more than scientists and experience: Why electronic voting isn’t secure – but may be safe enough .

Safe enough, not for democracy. The link to the article says it better “Why Electronic Voting is NOT SECURE.

Guardian article, apparently titled by an editor who trusts MPs opinions more than scientists and experience: Why electronic voting isn’t secure – but may be safe enough <read>

Safe enough, not for democracy. The link to the article says it better “Why Electronic Voting is NOT SECURE.

From the Article:

The UK has run trials for local elections before – in 2002, 2003 and 2007 – and Estonia famously became the first to offer online voting for its general election for parliament in 2007.

However, Meg Hillier, Labour MP and member of the digital commission that wrote the 2020 report, admitted that the team was “not set up to investigate in detail the issues of security and the mechanisms for delivering that,” hoping that the Electoral Commission “and others will take that on”…

The MPs debating that report all accepted that e-voting security was a concern, but believe the challenges are outweighed by the benefits.

Campaign group WebRoots Democracy laid out the argument for online votes in its own report, claiming two thirds of respondents to a survey would be more likely to vote if they could do so online, and that’s particularly true for younger voters.

Plus, the report claimed online voting would cut the cost per vote by a third to £2.59 and reduce the number of accidentally spoiled ballots.

Those same promises have been made before, each time the UK has previously trialled the idea. In 2002, five city councils let voters cast a ballot by home internet, text message and “kiosk”; in 2003, that was expanded to 14 councils.

Turnout increased by an average 4.9 points, but varied widely, with South Tyneside leaping by 20 percentage points and Vale Royal sliding by two points.

Following the 2003 elections, a report by the BBC showed e-voting “failed to make much of an impact”. Voters were given a ballot number and a PIN, but there were issues with technology – in St Albans, PCs in polling booths had connectivity issues and had to be abandoned for paper ballots…

All of the potential benefits are moot if we can’t trust the result, but so far there haven’t been any attacks against e-voting systems – or at least none we’re aware of.

As a report into e-voting in Switzerland from Harvard’s cyber law department pointed out, the digital option has remained poorly used by the electorate.

“It is reasonable to assume, however, that the systems will be exposed to higher numbers of attempted attacks and manipulation as the use of e-voting becomes more widespread,” the report noted.

If the government does press forward with e-voting trials, as it appears set to do, it needs to get some experts in, Anderson said – and there’s one Green politician who knows the issue inside and out.

UK should consider e-voting, elections watchdog urges

Despite spending years developing GNU.FREE, a free online voting system, Jason Kitcat – leader of Brighton and Hove City Council – isn’t a fan of e-voting (nor is his party).

“Through working on this I came to the conclusion, now shared by most computer scientists, that e-voting cannot be delivered securely and reliably with current technology. So I stopped developing the system but continued to campaign on and research the issues,” he said…

“When I and colleagues have monitored trials we have always observed serious flaws in the security and reliability of the systems used,” he said. “Yes, we have found problems every single time, and we have documented these at great length in peer-reviewed articles.”

Kitcat argued there are three requirements for robust political elections: security, anonymity and verifiability. “Meeting those three requirements is a very difficult problem quite unlike other transactions,” he said….

”Online banking suffers problems but refunds are possible after checking your bank statement. You can’t ‘refund’ a vote and ‘vote statements’ can’t be provided to check your vote was correctly recorded as that would enable vote selling and coercion.”
All that paper in standard ballots may seem old fashioned, but it leaves a trail that votes cast from PCs and phones don’t, agreed other experts. “There’s a fundamental conflict between verification and keeping votes anonymous,” Jim Killock, executive director of the Open Rights Group. “Paper ballots do this very neatly but computers find this hard because they leave audit trails.”

Voting away from polls raises the spectre of vote manipulation, explained Ross Anderson, a computer security professor at the University of Cambridge.

“When you move from voting in person to voting at home (whether by post, by phone or over the internet) it vastly expands the scope for vote buying and coercion, and we’ve seen this rising steadily in the UK since the 2001 election where postal votes first became a right,” he said. “All the parties have been caught hustling up the vote in various ways.”…

“Internet voting is frankly scary,” he said. “When security experts looked at the Estonia election, they were shocked at how easy it was to defraud the system and steal votes … We shouldn’t gamble with democracy.”

Lack of transparency is another major security issue – especially if the data collection, analysis and storage happens in IT systems that aren’t fully transparent or are difficult to understand.

Aaron Swartz, me, you, and our money.

Aaron Swartz “killed by our Government.” ? Fittingly his life, torture, and death available for all in an outstanding, free documentary. What does this have to do with you and me? Why is it fitting that the documentary is free?  Read on.

Aaron Swartz “killed by our Government.” ? Fittingly his life, torture, and death available for all in an outstanding, free documentary. What does this have to do with you and me? Why is it fitting that the documentary is free?  Read on.

Some who believe that our Government is always right or don’t know the full Aaron Swartz story, simply see it as:

“He was a criminal, so he deserves what he got.”

True, he was a criminal like Daniel Ellsberg or Martin Luther King.  What he did was more like King than Ellsberg, a virtual protest against a certain type of copyright, yet he was facing 35 years in prison. Actually he was yet to be convicted, committed suicide. Our Government did the prosecution. Was it fair or was it overkill?

There is more. The enormous loss is ours.  A powerful life cut short, enormous potential lost. As he said “I want to make the World a better place.”.  You be the judge of his actions, and history will judge how far the changes and his influence will last. (Yet, today as we celebrate net neutrality, we can see that we might not be here without Aaron’s efforts.)

What Was The Crime?

Was it at the level of terrorism? Or more like blocking traffic in protesting a business he disagreed with, trespassing at a Government facility, or speaking out at a Congressional hearing?

Aaron  was protesting at the time of his arrest against a certain kind of copyright, legally demonstrating a certain type of theft, yet protesting a theft from us, of the rewards of our investment. All of us.

He violated some rules at MIT, broke into the network and downloaded a trove of files – making illegal copies of a large database of research papers, largely paid for by our Government and foundations. Some would say our property. The crime he was protesting was private libraries that charge for public access to those publications.  Make huge sums, yet neither the creators of the information or their sponsors (largely us) reap the rewards.  Watch the film. It is a very good film, yet it has a sad ending.

Me and You

As the documentary points out, we all lose when information we paid for is not available for our use.  Cures for cancer?  Food safety?  Information needed by our legislature.

This all came home to me yesterday.  I was testifying against a bill to the legislature. My testimony was basically a cut-and-paste of past testimony – presenting past arguments to the current legislature the same concerns with a law proposed this year, similar to previously proposed laws. As usual my testimony was based on documented facts.

One of the legislators pointed out one of my links to an academic paper was broken.  It was a link to a paper by researchers at the University of Wisconsin partially underwritten by PEW, formerly for several years, available for free at PEW. No longer. It is now behind a “pay wall” at one of those libraries. Just the type of paper and wall Aaron was protesting. I was able to point the legislators to a) A summary of the paper, b) An abstract, and c) The pay wall where anyone could purchase a copy. Unfortunately,

  • These proved there was such an article, gave the general drift of the article, yet failed to cover critical statistic in my testimony; failed to describe in extensive detail why many earlier studies were flawed and the care taken by these researchers to provide a more complete analysis.
  • Left anyone wanting more; wanting to verify my claims with only the option of paying the fee.
  • I could have accessed a .pdf for that same  fee, but posting it for the legislature to see would risk the same crime and potential prosecution.
  • And what about that person or legislature in another state doing research on similar laws, they may never find this critical information, that they helped underwrite?
  • So we all lose the value of the research we paid for.

Watch the film and see what we also lost with the loss of Aaron Swartz.

So you want to connect voting machines to the Internet?

60 Minutes Shows Threats to Autos and Voting Machines are Real

We need a system that does not rely on trusting the Government or the abilities of officials and pollworkers. Sometimes the risks sound crazy and too theoretical and unlikely. For several years it has been known that many vehicles can be taken over via the Internet – but not really understood at a gut level. Last week 60 Minutes demonstrated the risks to Lesley Stahl so she will never forget, and perhaps by watching her we will also understand.

Among the other reform calls in Connecticut are those to “do anything to get results faster on election night – any results”.  One proposal is to connect our voting machines directly to the Internet to collect results. There is a reason our voting machines are not connected to the Internet. UConn and other researchers have long pointed out the risks <October 2007 article>

60 Minutes Shows Threats to Autos and Voting Machines are Real

We need a system that does not rely on trusting the Government or the abilities of officials and pollworkers. Sometimes the risks sound crazy and too theoretical and unlikely.  For several years it has been known that many vehicles can be taken over via the Internet – but not really understood at a gut level.  Last week 60 Minutes demonstrated the risks to Lesley Stahl so she will never forget, and perhaps by watching her we will also understand: DARPA: Nobody’s safe on the Internet <video at 6:45 > Or watch the entire video to understand that the Defense Department is regularly attacked and how they can attack the appliances in and around your house.

If the Defense Department can’t protect itself, if auto companies can’t protect us, why would we think the State of Connecticut could protect us? Or local registrars of voters in our 169 towns?

In fact, Arthur House, Chair of our utility control agency is concerned that utilities and the State together cannot protect our power infrastructure. <here>

Yet its even worse.  Not only can’t the Defense Department protect itself, the Federal Government actually makes it harder for private enterprise to protect us – in the name of “national security” they make us more vulnerable, while they also make “security theater” claims of increasing security, NYTimes:  Obama Heads to Security Talks Amid Tensions <read>

President Obama will meet here on Friday with the nation’s top technologists on a host of cybersecurity issues and the threats posed by increasingly sophisticated hackers. But nowhere on the agenda is the real issue for the chief executives and tech company officials who will gather on the Stanford campus: the deepening estrangement between Silicon Valley and the government…

Now, the Obama administration’s efforts to prevent companies from greatly strengthening encryption in commercial products like Apple’s iPhone and Google’s Android phones has set off a new battle, as the companies resist government efforts to make sure police and intelligence agencies can crack the systems…

“What has struck me is the enormous degree of hostility between Silicon Valley and the government,” said Herb Lin, who spent 20 years working on cyberissues at the National
Academy of Sciences before moving to Stanford several months ago. “The relationship has been poisoned, and it’s not going to recover anytime soon.”…

The F.B.I., the intelligence agencies and David Cameron, the British prime minister, have all tried to stop Google, Apple and other companies from using encryption technology that the firms themselves cannot break into – meaning they cannot turn over emails or pictures, even if served with a court order. The firms have vociferously opposed  government requests for such information as an intrusion on the privacy of their  customers and a risk to their businesses.

Meanwhile in the wake of the theft of health records from Anthem, Connecticut legislators are demanding encryption for health insurers <read> We wonder if they will ask the U.S. Government to stop compromising encryption. Others are asking who is benefiting from the Anthem attack? <read>