RISKS-LIST: Risks-Forum Digest Tuesday 28 April 2020 Volume 31 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.75>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
States Expand Internet Voting Experiments Amid Pandemic, Raising
Security Fears (Miles Parks via PGN)
Attackers exploit 0-day code-execution flaw in the Sophos firewall
(Ars Technica)
Windows virus files on a Mac lead to weeks of problems (Rex Sanders)
After prolonged service outage, Petnet shuts down, citing coronavirus
(Ars Technica)
Re: Spam filter censoring COVID content (John R. Levine)
Re: How NASA does software testing and QA (Martin Ward)
Re: Google's auto-complete for speech can cover up glitches in video
(Martin Ward)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 28 Apr 2020 10:20:31 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: States Expand Internet Voting Experiments Amid Pandemic, Raising
Security Fears (Miles Parks)

[Adapted for readability in RISKS. Interspersed screenshot are omitted.
Please see the original URL for the full story online, or listen to the
three-minute Morning Edition clip. This topic has long been at the
forefront in RISKS. I am grateful to Miles Parks for a superb treatment
of the pros and cons. The November election will certainly be a relevant
topic here. PGN]

*Coronavirus Drives States To Pilot Internet Voting* *Voters with
disabilities, as well as those who serve in the military and live overseas could cast ballots via their phone or home computer even as security experts warn the technology can't be trusted.* https://www.npr.org/2020/04/28/844581667/states-expand-internet-voting-experiments-amid-pandemic-raising-security-fears

Miles Parks, Heard on Morning Edition, NPR, 28 Apr 2020, 5:00 AM ET <https://www.npr.org/programs/morning-edition/2020/04/28/846887293/morning-edition-for-april-28-2020>

Election officials nationwide are preparing for what may the highest
election turnout in modern history in the middle of a pandemic. In response, several states will be turning to a relatively new and untested form of Internet-based voting to aid the voters who may have the most trouble
getting to the polls.

In the latest demonstration of the technology, Delaware will allow voters
with disabilities to return their ballots electronically in its primary election next month, becoming the second U.S. state to do so. The decision comes despite grave warnings from the cybersecurity community that the technology doesn't offer sufficient safeguards to protect the integrity of
an election.

NPR is the first to report the development, which has yet to be announced publicly. Both the state, and the Seattle-based company administering the technology, Democracy Live, confirmed the decision, although they dispute
the term "Internet voting" for the cloud-based system.

Earlier this year, West Virginia passed a bill to allow the use of the technology for disabled voters, after becoming the first state to allow overseas and military voters to use an app to vote in the 2018 midterms. Delaware will also allow overseas and military voters to use the technology. <https://www.wvpublic.org/post/bill-allow-electronic-voting-west-virginians-disabilities-passes-legislature#stream/0>
<https://www.npr.org/2019/11/07/776403310/in-2020-some-americans-will-vote-on-their-phones-is-that-the-future>

A third state, New Jersey, is considering making the technology available
for voters with disabilities and overseas voters, according to an election official with knowledge of the state's plans. A state elections spokesperson did not respond to a request for comment.

The developments are sure to worry election security advocates. Until the pandemic struck, their efforts were focused on cybersecurity following the
2016 election, when Russian operatives successfully hacked election networks
in multiple states. Since then, many states have increased their security protocols and generally moved away from all-electronic voting systems back towards paper ballots. <https://www.npr.org/2019/05/16/723996207/possible-more-counties-than-now-known-were-hacked-in-2016-fla-delegation-says>

Those in favor of Democracy Live's system argue that it is a paper-based system, because when a voter elects to electronically submit their ballot,
an election official must print it out before it's counted.

But most security experts scoff at that concept because the ballot is transmitted via the Internet before it reaches the stage where it's printed, leaving it potentially vulnerable to cyber-manipulation.

"In the computer security business, we worry about worst-case scenarios, and the downside risk of the Democracy Live model is really bad," said Doug
Jones, a computer science professor, and election security expert at the University of Iowa. "If the voter is marking the ballot using a device, it's
an online ballot-marking system, and if the physical ballot is not printed
by the voter, it's online voting."

Still, there are signs that the general public may be becoming more open to
the idea. A survey this month by TargetSmart, a data analytics firm that
works with Democrats, found that a plurality of voters support Internet
voting as a response to the coronavirus crisis. <https://insights.targetsmart.com/covid-19-and-elections-findings-from-a-national-poll-of-american-voters.html>

But advocates of Internet voting technology are clear that they don't see it stopping with relatively small slices of the electorate such as overseas
voters and voters with disabilities, or being restricted to times of
crisis. They see it as the future of voting.

"You know, eventually we can't hold back the tide. We're going to get
there," said Bryan Finney, the CEO and founder of Democracy Live. "Next generation voters are going to demand next generation voting technologies."

*Who Paper Leaves Behind*

The pandemic took hold in the U.S. in the middle of primary season during a presidential election year. Officials around the country are scrambling with how to make sure the democratic process doesn't become a casualty.

Many voters are concerned about the potential health risks of casting
ballots in-person. During Wisconsin's recent controversial primary, voters wearing masks stood in long lines to cast ballots, sometimes relying on DIY safety measures crafted by election officials. State health officials say at least 36 voters and poll workers have subsequently tested positive for COVID-19. <https://www.politico.com/news/2020/04/27/wisconsin-tested-positive-coronavirus-election-211495>

In response, many jurisdictions and states are looking for alternatives
to in-person voting.

While ballots cast by mail are viewed by many as highly accessible, they
leave some people behind, says Eric Bridges, the executive director of
the American Council of the Blind.

Bridges authored a letter to congressional leaders earlier this month
pushing for online voting, which was signed by more than 70 national, state, and local disability advocacy groups. <https://www.prnewswire.com/news-releases/congress-must-protect-the-voting-rights-of-people-with-disabilities-301039474.html>

"To complete a paper ballot one is required to, at the least, read standard text, physically write and/or fill in the ballot choices, seal and certify
the ballot via a signature on the envelope, and mail the ballot back to the appropriate voting official to be counted," Bridges wrote. "Each of these
steps may act as a barrier to voting for voters who are blind and disabled."

The Democracy Live system that will be used this summer allows voters with disabilities to access and mark their ballots on their own accessible
devices, meaning voters can fill them out without help and send them in
using whatever technology suits their specific physical needs.

Typically, voters with these sorts of needs have had to travel to a polling place to use an accessible voting machine, but the pandemic may make that difficult this year.

Bridges doesn't think politicians have purposefully or maliciously failed to take the needs of voters with disabilities into consideration by expanding mail-in voting.

"It doesn't make it any less frustrating or angering to be to be completely honest," Bridges said. "It's just sort of like we weren't even considered; there wasn't even a debate that took place where we could serve and volley."

When asked about security concerns with the technology, he said that's
not his job, that's the role of security firms and the government.

"We want access," Bridges said. "It's not really up to the American
Council of the Blind to ensure that these systems are secure."

*'Risk appetite' *

Returning ballots electronically is still in a pilot phase, with the states taking it one election at a time. But Finney said he expects at least five states to offer his company's ballot return technology to voters with disabilities in November's general election.

It's a major development to expand the use of such systems beyond just
military and overseas voters, since many of those voters already vote by
what are considered insecure methods like email and fax. Disabled voters in many instances will be choosing to electronically transmit their ballot
instead of using a completely paper system. <https://www.ncsl.org/research/elections-and-campaigns/internet-voting.aspx>

The Democracy Live ballot return system stores a voter's ballot and then
allows an election official to access and print it.

Finney, however, doesn't prefer the term "online voting."

"It's a loaded term... Really what this is, is a secure portal. If anything, it's a document storage application," Finney said. "When people think of
online voting, they're thinking it's all being tabulated online."

But a number of cybersecurity experts disputed that characterization
when presented with it by NPR.

"Sorry, but what a load of bull****," said Joe Kiniry, a principal scientist
at Galois, the company contracted by the federal government to develop a
secure and open source voting machine. <https://www.vice.com/en_us/article/yw84q7/darpa-is-building-a-dollar10-million-open-source-secure-voting-system>

The phrase online voting encompasses any voting system where "voter choices
are transmitted over a wide area network," Kiniry said, and has nothing to
do with how those ballots are counted. "Online voting is not a loaded term.
It has a very simple definition that has been widely agreed upon in the research community for about 40 years."

Cities, counties and states are largely free to use whatever voting
technology they want because elections are run at the local level with
very limited federal oversight.

In the case of online voting, there's also very little financial risk.
Tusk Philanthropies, a nonprofit funded by multimillionaire Bradley
Tusk, is funding many of the pilots with an aim at expanding Internet
voting and increasing turnout in U.S. elections.

Tusk told NPR earlier this year that he hopes to fund as many as 50 mobile voting pilots in the coming five years.

"Everyone who doesn't want this to happen is never going to say, 'We oppose mobile voting because we don't want higher turnout,'" Tusk said in
January. "They're going to say, 'It's not safe.' And if we have proven 30,
40, 50 times over that it is safe, it's a lot harder for those objections
and arguments to fly."

Election security experts say that rigorous independent auditing is needed
in order to reassure the public the results are legitimate. That's lacking
in the case of Democracy Live, says Sen. Ron Wyden, D-Ore., who has opposed online voting for many years.

Wyden does believe voters with disabilities should have access to software
that allows them to mark their own ballot using their own accessible
machine, but he thinks those ballots should then be mailed in, not returned electronically.

"It is simply irresponsible to allow online voting, when leading experts
have warned specifically that this technology is dangerous and before a
system has passed an audit by independent experts," Wyden said in a
statement to NPR. "So far none of these products has passed that test.
It is far too risky to gamble the Constitutional rights of voters with disabilities on unproven tech."

West Virginia dropped its previous online voting vendor after a number of independent investigators cited security issues with its system. <https://www.nbcnews.com/tech/tech-news/west-virginia-backtracks-using-smartphone-voting-app-state-primary-n1145571>
<https://blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-mobile-voting-platform/>
<http://news.mit.edu/2020/voting-voatz-app-hack-issues-0213>

Overall, the amount of voters using some form of Internet ballot return in
2020 is still expected to be minuscule; Finney expects less than 10,000
voters nationwide. And he says he doesn't think the systems should be used
more widely until there have been more pilots.

But many election officials say they shouldn't be used at all. One state election director who requested anonymity in order to speak candidly called
the technology "the third rail" of voting systems because they ignite such controversy.

Similarly, Washington Secretary of State Kim Wyman gives two reasons for why she has pushed back for 20 years against various efforts to expand Internet voting.

"The Internet is not secure, and we know this more today than I did 20 years ago," Wyman says.

The second problem has less to do with technology, but is tougher to solve
she says: convincing voters in a close election that the results are
legitimate when they don't understand the underlying technology.

Ahead of a highly polarized presidential election, Wyman says it's not
the time to introduce new technology.

"We can't put our election at risk to technology we cannot guarantee is
secure, and right now, in 2020, we cannot guarantee that any electronic transmission of a ballot is secure," Wyman said. "While it seems like electronic voting would really solve a lot of problems, it would create far more mistrust than I think we have the risk appetite for."

------------------------------

Date: Tue, 28 Apr 2020 08:00:08 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Attackers exploit 0-day code-execution flaw in the Sophos firewall
(Ars Technica)

Yep, in-the-wild SQL injection exploits in 2020 are still a thing.

https://arstechnica.com/information-technology/2020/04/sophos-firewall-0day-allowing-remote-code-execution-comes-under-attack/

------------------------------

Date: Mon, 27 Apr 2020 21:32:14 -0700
From: "Rex Sanders" <rex.sanders@usa.net>
Subject: Windows virus files on a Mac lead to weeks of problems

At work several years ago, a few email attachments containing very old
Windows viruses slipped through our scanners to land on my Mac. Weeks later, enterprise Mac antivirus software reported this "emergency" and within
minutes the IT cops confiscated my laptop. Much argument back and forth
ensued on how to disinfect this machine. I finally convinced them to remove
the offending files and rescan for malware so I could get back to work.

If life were only that simple.

IT support reasonably insisted on scanning my external Apple Time Machine backup drive, too. TM uses file-system links to make one copy of a static
file appear in multiple timeline views -- "YOU ARE IN A MAZE OF TWISTY
LITTLE PASSAGES, ALL ALIKE." The not-Mac-savvy AV software didn't know that,
so proceeded to scan every long-lived file many dozens of times, once for
each link. The projected completion time was measured in months. We agreed
to wipe that disk and rely on less-frequent network backups if needed.

Except the AV software had a another bug. Every time that Mac plugged back
into the network, the program would report the exact same but now removed
virus "infection" again. IT cops return, lather, rinse, repeat. Which
triggered another rule -- after three tries at disinfection they wipe your machine and restore from backups. In my case this would also restore the virus attachments, which I pointed out repeatedly to no avail. I'm now approaching two weeks without a computer or access to my files.

So I called in some very high-level favors, which triggered a 12-way
conference call spanning four time zones. Someone on the call suggested removing and re-installing the AV software on that Mac. Bingo -- no more
false positive reports. Within 24 hours I got my laptop back, mostly intact.

The risks here are numerous and mostly obvious. Buggy Mac AV software and inflexible IT policies are at the top of my list.

------------------------------

Date: Tue, 28 Apr 2020 11:41:46 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: After prolonged service outage, Petnet shuts down, citing
coronavirus (Ars Technica)

[Follow-up to RISKS-29.65, old item]

Kate Cox, 27 Apr 2020
The COVID-19 crisis may just be the last nail in the coffin for the company.

https://arstechnica.com/information-technology/2020/04/after-prolonged-service-outage-petnet-shuts-down-citing-coronavirus/

Excerpt:

Cloud-connected, "smart" automated pet-feeder system Petnet has had a
rough spring. The service not only went offline in February, but all its
customer service vanished, too, leaving users in the dark until the
company apologized and pushed a patch more than a week later. The service
briefly returned for some users but fell off again in March. Now, after
weeks of silence, the company is blaming COVID-19 for driving it offline
for good -- even though its problems started weeks or months before the
novel coronavirus became a significant concern.

Several Petnet customers began reaching out to Ars during the second and
third weeks of April to report that, once again, not only were their
feeders not working, but also they couldn't reach anyone at Petnet about
it. Everyone's feeders didn't go offline at the same time but seemed to
fail in slow sequence over the period between 26 Mar and 13 Apr.

The company emailed its customers on 26 Mar, blaming the novel coronavirus
for outages and delays.

On 14 Apr, Petnet posted another Tweet saying, "We are still experiencing
SmartFeeder connection downtime due to an ongoing service disruption that
is currently being investigated." As of 27 Apr, that remains the company's
last tweet.

[Tweet to eat? Did their service include automated bird-seed feeders?
PGN]

------------------------------

Date: 27 Apr 2020 22:22:38 -0400
From: "John R. Levine" <johnl@iecc.com>
Subject: Re: Spam filter censoring COVID content (Baker, RISKS-31.74)

I wasn't kidding when I said *censorship* is in operation here [...]

Oh, please, this is like a time warp from the 1990s. Spam filtering is
hard, and these days it's not optional because there's an order of magnitude more spam than real mail and people's mailboxes would be unusable without
it. We are not thrilled that filters make mistakes but a single mistake is
not a life altering experience.

In your case, you're sending mail from Earthlink, which is not exactly a
hotbed of sophisticated Internet users, so I can't blame other mail systems
for viewing purported COVID warnings from Earthlink with some scepticism.

------------------------------

Date: Tue, 28 Apr 2020 10:05:17 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: How NASA does software testing and QA (Functionize)

A couple of quotes from the article that I found depressing:

Crumbley recommends the CMMI Institute's Capability Maturity Model Integration (CMMI) as a good process model.

CMMI defined five "maturity levels" starting at level 1: "Processes unpredictable, poorly controlled and reactive."

So to say that you use "CMMI" just means you have decided which maturity
level your process is currently defined as. You could be level 1 and happy with it!

Crumbley does not say what level NASA's software development department has currently reached, or what level they are aiming at nor what steps they are taking to reach the desired level. Instead he says:

We use the CMMI model as a tool to see how our software development
practices compare with other industries

"Other industries" have woefully inadequate software development practices:
as exemplified in every issue of comp.risks! Comparing yourself with them
just gives a false sense of security. NASA's software requirements are so
much more stringent than the vast majority of other industries: on other industries, if the software more-or-less works, only needs rebooting occasionally and only has a few zero-day exploits per week, then the
software is considered to be a success. He does not even *mention* formal methods.

------------------------------

Date: Tue, 28 Apr 2020 12:23:19 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: Google's auto-complete for speech can cover up glitches in video

The downside is that instead of asking someone to repeat something because
of a dropout, you have to analyse everything and try and guess if they
really said it, or it was just the AI guessing: "Did you really suggest injecting disinfectant as a coronavirus treatment, or did the AI make it
up?"

The upside is that you can abuse your boss out loud and blame it on the
Google bot.

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.75
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)