1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 32.07 (2/2)

    From RISKS List Owner@21:1/5 to All on Fri Jul 3 18:11:54 2020
    [continued from previous message]

    provide cogent advice and analysis to legislators and policymakers about a
    wide range of issues including cryptography, computer security, privacy, and intellectual property.

    Simons is internationally known as an expert on voting technology, an
    advocate for auditable paper-based voting systems, and author of numerous papers on secure election technology. Through her publications, reports, testimony to the U.S. Congress, and advocacy, Simons has been a key player
    in persuading election officials to shift to paper-based voting systems, and has contributed to proposals for reforms in election technologies.

    Simons served as ACM President from 1998 to 2000. Since 2008, Simons has
    served as one of two U.S. Senate appointees to the Board of Advisors of the U.S. Election Assistance Commission, and she was named Chair of the Board of Advisors subcommittee on election security in 2019. She currently also
    chairs the Board of Directors of Verified Voting, a nonpartisan nonprofit organization that advocates for legislation and regulation that promotes accuracy, transparency and verifiability of elections. She remains active
    with ACM as a member of the global Technology Policy Council and as Co-chair
    of USTPC's Voting subcommittee.

    [Barbara has been a long-time contributor to efforts to achieve election
    integrity. This recognition is hugely well deserved. PGN]

    ------------------------------

    Date: Fri, 3 Jul 2020 09:55:17 -0600
    From: Brian Inglis <Brian.Inglis@systematicsw.ab.ca>
    Subject: Re: Ripple20 IP stack vulnerability may affect literally billion
    devices (Ishikawa, RISKS-32.06)

    The cause of the "billions" appears if you follow the trail to Intel: you
    find the stack embedded in management firmware in what appear to be many
    common (all PC?) products; Intel's statement that products for which no
    future releases were planned are out of support and were not evaluated for
    any vulnerabilities; and issued it's own "CVEs" separate from the published "CVEs".

    Besides possible attempts at minimization, on the heels of ongoing announcements of new speculative execution vulnerabilities, mitigation microcode update issuances, withdrawals, and redos, I thought the whole
    point of the "CVE" database was for orgs to reuse existing ids, to simplify checking for existence of vulnerabilities and application of mitigation, not have to provide a "CVE" cross-reference table in a security announcement
    rated *CRITICAL*, covering what appears to be a number of organizational management components in many devices: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html
    (find VU#257161)

    ------------------------------

    Date: Mon, 29 Jun 2020 19:55:27 -0700
    From: "David E. Ross" <david@rossde.com>
    Subject: Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's
    Water System (RISKS-32.06)

    I live in a small suburban community in Ventura County, a five-minute walk
    from the Los Angeles County line and about 10 miles from the western edge of the city of Los Angeles. The population is less than 15,000. Our water is
    not well water. Instead, it is snow melt from northern California. For Ventura and Los Angeles Counties, the California State Water Project
    aqueduct ends in the north end of the city of Los Angeles, where it is filtered, chlorinated, and fluoridated at the Jensen Treatment Plant. From there, Ventura County's portion is piped to the Bard Reservoir. As it
    leaves the Bard Reservoir -- and only at that location -- the water is again filtered, chlorinated, and thoroughly tested. It is also treated with ozone
    to treat organics (live or otherwise) that might pass through the filters or
    be immune to chlorine. It is then piped without further exposure to the environment to my house and to over 250,000 people in adjacent areas,

    Similar processes are involved in distributing water elsewhere in Ventura County and in Los Angeles County. Nasadowski made generalizations about
    water that do not apply to a very large population in the United States.

    ------------------------------

    Date: Mon, 29 Jun 2020 20:26:02 -0700
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: Re: 40 msecs to go halfway around the Earth? (Cohen, RISKS-32.06)

    It's even worse than that; the speed of propagation in a fiber optic cable
    is only ~2/3 of the speed in a vacuum -- i.e., ~2/3c. This is one of the reasons why some High Frequency Traders (HFT's) want laser- based 'free
    space' communications links to provide lower latency.

    Perhaps lies propagate faster by means of quantum 'spooky lying at a
    distance'? Perhaps via the collapse of the 'hand wave' function?

    ------------------------------

    Date: Tue, 30 Jun 2020 13:05:42 +0100
    From: Michael Bacon <attilathehun1900@tiscali.co.uk>
    Subject: Re: 40 msecs to go halfway around the Earth? (Cohen, RISKS-32.06)

    Regarding Fred Cohen's detailed calculation, for which I thank him, I will merely say in defence of my hyperbole that neither William Shakespeare nor I indicated along which line of longitude (or latitude) lay the course of the lie.

    ------------------------------

    Date: Tue, 30 Jun 2020 17:09:09 -0700
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: Re: Quote of The Day (George Orwell, 1984)

    An old Soviet black humor joke about constantly rewritten history:

    Predicting the future is easy;
    predicting the past is what's hard
    [behind the Iron Curtain].

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.07
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)