RISKS-LIST: Risks-Forum Digest Tuesday 21 April 2020 Volume 31 : Issue 70
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/31.70>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Zoom's security woes were no secret to its business partners (NYTimes)
New Pressure on Voatz for false claims in Oregon (Politico)
2B phones cannot use Google and Apple contact-tracing tech
(Ars Technica)
Microsoft says the pandemic argues for a federal privacy law (WashPost) Computer Fraud and Abuse Act (WashPost)
What do SHARP IoT devices and facial masks produced by its factory have in
common? (CNET Japan via Chiaki Ishikawa)
Re: Australian Government proposes to distribute Coronavirus App
(Michael Bacon)
Re: Internet Usage update (Stewart Fist)
Re: The world after coronavirus (3daygoaty)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 21 Apr 2020 10:43:32 PDT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Zoom's security woes were no secret to its business partners
(NYTimes)
Natasha Singer and Nicole Perlroth, *The New York Times*, front page
of the business section, today, 21 April 2020
Interestingly, Dropbox sponsored a bug bounty program to find bugs in Zoom.
Very informative article.
------------------------------
Date: Tue, 21 Apr 2020 10:44:52 PDT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: New Pressure on Voatz for false claims in Oregon (Politico)
Politico reports:
The controversial mobile voting firm Voatz may have violated Oregon consumer protection law by making false claims about the security of its Internet
voting app, an activist group said in a letter (attached) to Oregon Attorney General Ellen Rosenblum. In urging Rosenblum to investigate the company's behavior, Free Speech For People cited damning audits by researchers at MIT
and Trail of Bits as well as Voatz's "false, misleading or specious"
pushback to those audits as evidence that it violated the Unlawful Trade Practices Act in Oregon, where two counties have pilot-tested its app. The letter also cited Voatz's misrepresentation of a still-secret DHS audit and
its refusal to release an audit performed by ShiftState Security. Susan Greenhalgh, Free Speech for People's senior adviser on election security,
and Ron Fein, its legal director, argued that "Voatz has been making false, misleading or deceptive claims to promote and sell its product."
Voatz told MC it would "participate in any conversation with the AG's office
to resolve all questions." A spokesperson added, "We're believers that all technology should be considered, vetted, and tested carefully =97 including ours." If Oregon opens an investigation, it would be merely the latest
headache for the company. Already, the bad publicity from the excoriating security audits led West Virginia to cancel its partnership with Voatz for
the state's May 12 primary. In 2018, West Virginia became the first state to let military and overseas voters use Voatz in a live election.
"Voatz has been marketing its product with emphatic claims regarding
security, but those claims don't hold up in the light of the independent security reviews recently published," Greenhalgh told MC. "It's time to investigate to determine if those faulty claims could constitute a violation
of law."
------------------------------
Date: Tue, 21 Apr 2020 01:42:36 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: 2B phones cannot use Google and Apple contact-tracing tech
(Ars Technica)
System developed by Silicon Valley relies on technology missing from older handsets.
https://arstechnica.com/tech-policy/2020/04/2-billion-phones-cannot-use-google-and-apple-contract-tracing-tech/
------------------------------
Date: Tue, 21 Apr 2020 9:13:10 PDT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Microsoft says the pandemic argues for a federal privacy law
(WashPost)
*The Washington Post*, 21 Apr 2020
Microsoft executives say the coronavirus pandemic underscores the need for a federal privacy law.
``In the U.S., the need for this conversation in the midst of a pandemic underscores the urgency for a strong federal privacy law,' write Julie
Brill, chief privacy officer, and Peter Lee, corporate vice president for research and regulation.
``An updated legal framework placing obligations on businesses that collect
and use personal data would help provide the necessary guardrails for
companies to know how to protect and respect personal data as they create
tools and technologies to address urgent societal needs.''
The Washington state tech giant is weighing in on a growing debate between privacy and public safety as it is providing AI to researchers, developing a self-checking tool and protecting hospitals from ransomware. The executives also released privacy principles to which they urge governments to adhere
when using technology in their responses, including:
* Providing transparency around why data is collected and how it is used
* Giving people a choice over where their data is stored
* Limiting data use to public health applications
* Deleting data once the emergency is over
------------------------------
Date: Tue, 21 Apr 2020 09:34:26 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Computer Fraud and Abuse Act (WashPost)
https://www.washingtonpost.com/politics/courts_law/supreme-court-montana-superfund-epa/2020/04/20/872f22e0-8309-11ea-ae26-989cfce1c7c7_story.html
(see bottom of Courts & Law section in the URL)
"In the case the justices accepted, Van Buren was supposed to run searches
only for official law enforcement reasons. Instead, he was paid by an individual working as part of a police sting operation to run a license
plate belonging to an exotic dancer whom the man said he was interested in getting to know better."
When police use a computer for an unofficial purpose, is it legal or not?
------------------------------
Date: Wed, 22 Apr 2020 00:20:54 +0900
From: "ISHIKAWA,chiaki" <
ishikawa@yk.rim.or.jp>
Subject: What do SHARP IoT devices and facial masks produced by
its factory have in common? (CNET Japan)
SHARP, a Japanese electronics company, turned one of its LCD factories into
a facial mask maker earlier this year. The scarcity of facial masks in the market prompted the company to produce masks in the clean air room of its former LCD factory. Finally, it has begun shipping facial masks earlier
this month initially to medical facilities.
Of course, SHARP produces many other home electronic goods including the air conditioners, air purifiers, intelligent cooking devices, etc. In the
recent IoT application framework, SHARP's IoT devices including the goods mentioned in the previous sentence can be controlled by smartphone app via SHARP's cloud.
News is that after SHARP's mask sales to the general public started via its website on 21 Apr, users of SHARP IoT devices have begun reporting that they could not control them via smartphone app any more. Local control using the infrared remote controller or physical switches works as usual.
Why?
It turns out that the SHARP IoT control app accesses an authentication
server that happens to run on the SAME SERVER on which the web server that handles the sales of facial mask to the general public resides. The server could not keep up with the surge of workload due to the facial mask sales on
21 Apr.
The app seems to access the authentication server each time its command is invoked, adding to the workload surge. (The user enters userid/password,
and it seems the pair is cached locally on the phone. So user does not have
to retype it. However, each time a command is sent to a device, the authentication server seems to be accessed for authentication. Ouch.)
A careful planning of server peak usage and the migration of server function will be in order in the IoT age. (Not that it was unnecessary before, but a careful server deployment planning is much more in demand now that there are devices that can be controlled by smartphones via a server and some devices
do not have interactive LCD numeric display or buttons at all by using network-based control via smartphone alone (!) ) Many of these IoT devices affect our daily living and, in the worst case, our lives even.
BTW, I am dumbfounded at SHARP's response as follows. It is as if there
were no users of smartphone app to control these devices. SHARP's PR department was contacted by the following news article writer, and according it, SHARP plans to accepts orders for facial masks at 10:00 A.M. each day
when the available amount of daily stock of masks delivered from the factory
is entered until the stock runs out for the day. It will be repeated daily
from April 21st to May 10th. Such is the high demand of facial masks in
Japan. SHARP says it has no plan of changing this practice, but it would monitor the situation and may modify the sales practice.
I bet irate SHARP users and their blog posts will FORCE SHARP to do
something by the end of this week, given that we have unusually cold April month this year. A savvy network company would have switched the web server front-end to a different host in no time quick and possibly moved the
backend database server using replication to a different host very fast.
https://japan.cnet.com/article/35152681/ (in Japanese)
------------------------------
Date: Tue, 21 Apr 2020 11:34:13 +0100
From: A Michael W Bacon <
amichaelwbacon@gmail.com>
Subject: Re: Australian Government proposes to distribute Coronavirus App
(RISKS-31.69)
Of the proposed app, John Colville said it's use was:
to help identify contacts of people who have been identified as having novel Coronavirus (COVID-19)
This contains an error that is being made far too often in reporting on "contact tracing" apps.
Unless the app is forcibly updated (and then locked) by a clinician, the
user will *not* have been *identified* as being infected.
The apps currently being touted in the Western world rely on the user
updating the app with their diagnosis. If they desire not to, there is no compulsion, and if there were, how would it be enforced? Conversely, if an uninfected user decides to flag themselves as infected, there is nothing to stop them; post facto there might be a legal sanction ... but a defence
would undoubtedly be: "I was running a temperature and decided to warn
others."
Consider in this latter instance a pupil who decides to "lockdown" their
school and so marks themself as infected. Consider too the prankster who
marks the app on a burner phone as 'infected' and ties it to a dog which is then allowed to run loose, or who hides the phone in a location
visited/passed by many people (say a railway station, or a street in a business/commercial area - yes, even in these times). Hundreds to thousands
of 'contacts' could/would be flagged in a short space of time through the exponential process.
Then, from the app's perspective a 'contact' is not necessarily an epidemiological contact, there might well be a physical barrier between the parties.
The effectiveness of such apps in Western society is questionable, and their use and abuse could cause more problems than the one they're trying to fix.
The proposals have the hallmarks of the classical false syllogism: "We must
do something; this is something; so we must do it."
------------------------------
Date: Tue, 21 Apr 2020 09:44:52 +1000
From: Stewart Fist <
stewart_fist@optusnet.com.au>
Subject: Re: Internet Usage update (RISKS-31.69)
Would the Information Technology Community promote the idea that we should
all pay a low fee for sending each email.
I know every reader of RISKS will initially bristle at the idea. But, if we were charged, say, 1 cent per mail sent, then most individuals would pay
only fractions of a dollar a day, and in a competitive world, this would be
set off against annual fees
However those scam organisation which exist by flooding the world's
mailboxes with unwanted, illegal and disgusting emails by the millions,
would be quickly driven out of business.
The global email and Internet system is never going to reach its potential until there is an actual money penalty for abusing the technology.
Couldn't such a charge be introduced on a global scale at the borders?
I believe it could.
------------------------------
Date: Tue, 21 Apr 2020 10:53:55 +1000
From: "3daygoaty ." <
threedaygoaty@gmail.com>
Subject: Re: The world after coronavirus (RISKS-31.69)
The last time I looked, my state government attempted to have us all use a smart card to carry around and use to access the mass transport system.
This ran years late and cost three times as much as they expected. I
believe but I can't prove, that at least 10% of users travel for free every day.
You'd think *security experts* forced to wear the security anklets might
turn their efforts to tricking the anklet (with a Gummy Bear, or something)? And so if my government forced 10 million bracelets (or apps or such) on us
and how long will it take for someone to break or jam one and publish the instructions? A week?
It reminds me of the film Gorky Park where apparently all the phones were surveilled but this was defeated by turning the rotary dialer and sticking a pencil in it. This is what all the characters in the film did when they
needed a private conversation. The (very large) cost of listening to tall those phones was subverted by a ten cent pencil.
Aren't these technical asymmetries also a risk for Kim Jong Un?
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones:
http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.70
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)